Saturday, November 6, 2021

DC-9

 DC-9

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine DC-9 from the VulnHub pentesting platform.

- DC-9 can be downloaded from here:

https://www.vulnhub.com/entry/dc-9,412/

- Once downloaded DC-9 and extracted with VirtualBox:



2 - ENUMERATION

- IP for DC-9 is 192.168.1.14:














- Scanning with Nmap, port 22 is filtered and port 80 is open:











- Checking the web server:
















- Going to Manage:



3 - EXPLOITATION

- Let's explore the form Search, intercepting with Burp and saving it:




- Forms are prone to Injection Attackts, so let's use the saved item with Sqlmap to find a vulnerable injection point:


- Looking for databases we find Staff and users:










- Dumping all from Staff we find passwords and usernames:













- Same thing with database users:



- Decrypting admin's password:



- Logging with admin:transorbital1:
















- The footer message File does not exist suggest that function include is being used, so maybe there is a LFI vulnerability:



- Remembering that SSH service is filtered (see Nmap oputput) and going around some configuration files we find /etc/knockd.conf, what contains an SSH number sequence:



- Using knock command to unblock access to SSH service:



- Hydra helps finding SSH accounts:





















- SSH-ing with janitor:Ilovepeepee:












- Looking for interesting files:


- New credentials:











- Again Hydra helps finding new SSH accounts:








- SSH-ing with fredf:B4-Tru3-001:



4 - PRIVILEGE ESCALATION

- Checking fredf's sudoers permissions:


- test is an executable file:





- test takes two files as parameters, appending content of the first to the second:






- Using without parameters:





- The strategy for achieving Privilege Escalation will be to create a new user whitelist with root privileges, and appending its record to /etc/passwd with executable test.

- openssl encrypts whitelist:qwerty:





- Adding username, encrypted password and :0::0::root:/bin/bash so that whitelist has root privileges:






- Appending the encrypted line to /etc/passwd with test:




- Checking that the line has been correctly appended:






- Logging as whitelist:qwerty we have a root shell:





5 - CAPTURING THE FLAG

- Reading theflag.txt: