DC-9
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine DC-9 from the VulnHub pentesting platform.
- DC-9 can be downloaded from here:
https://www.vulnhub.com/entry/dc-9,412/
- Once downloaded DC-9 and extracted with VirtualBox:
2 - ENUMERATION
- IP for DC-9 is 192.168.1.14:
- Scanning with Nmap, port 22 is filtered and port 80 is open:
- Checking the web server:
- Going to Manage:
3 - EXPLOITATION
- Let's explore the form Search, intercepting with Burp and saving it:
- Forms are prone to Injection Attackts, so let's use the saved item with Sqlmap to find a vulnerable injection point:
- Looking for databases we find Staff and users:
- Dumping all from Staff we find passwords and usernames:
- Same thing with database users:
- Decrypting admin's password:
- Logging with admin:transorbital1:
- The footer message File does not exist suggest that function include is being used, so maybe there is a LFI vulnerability:
- Remembering that SSH service is filtered (see Nmap oputput) and going around some configuration files we find /etc/knockd.conf, what contains an SSH number sequence:
- Using knock command to unblock access to SSH service:
- Hydra helps finding SSH accounts:
- SSH-ing with janitor:Ilovepeepee:
- Looking for interesting files:
- New credentials:
- Again Hydra helps finding new SSH accounts:
- SSH-ing with fredf:B4-Tru3-001:
4 - PRIVILEGE ESCALATION
- Checking fredf's sudoers permissions:
- test is an executable file:
- test takes two files as parameters, appending content of the first to the second:
