Vulnhub- DC 4

Hey everyone I hope you are doing good,this is a write up for DC-4 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine

Rustscan

rustscan -a 192.168.1.3 -- -A -sC -sV                                                                                           
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.         
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                  
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                  
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                            
Open 192.168.1.3:22                                                       
Open 192.168.1.3:80               

PORT   STATE SERVICE REASON         VERSION                                                                                                         
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                                                                   
| ssh-hostkey:       
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp6/VowbK8MWfMDQsxHRV2yvL8ZO+FEkyIBPnDwTVKkJiVKaJMZ5ztAwTnkc30c3tvC/yCqDAJ5IbHzgvR3kHKS37d17K+/OLxalDutFjrWj
G7mBxhMW/0gnrCqJokZBDXDuvHQonajsfSN6FmWoP0PDsfL8NQXwWIoMvTRYHtiEQqczV5CYZZtMKuOyiLCiWINUqKMwY+PTb0M9RzSGYSJvN8sZZnvIw/xU7xBCmaWuq8h2dIfsxy+FhrwZMhvh
JOpBYtwZB+hos3bbV5FKHhVztxEo+Y2vyKTl6MXJ4qwCChJdaBAip/aUt1zDoF3cIb+yebteyDk8KIqmp5Ju4r                                                              
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)   
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIbZ4PXPXShXCcbe25IY3SYbzB4hxP4K2BliUGtuYSABZosGlLlL1Pi214yCLs3ORpGxsRIHv8
R0KFQX+5SNSog=                                                            
|   256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcvQZ2DbLqSSOzIbIXhyrDJ15duVKd9TEtxfX35ubsM
80/tcp open  http    syn-ack ttl 64 nginx 1.15.10                         
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST                                      
|_http-server-header: nginx/1.15.10                                       
|_http-title: System Tools                                                
MAC Address: 08:00:27:2A:E7:75 (Oracle VirtualBox virtual NIC)

PORT 80 (HTTP)

It looks like login page , so let’s default credentials like admin:admin and it didn’t work, I intercepted the request with burp

Saved it in a file and ran sqlmap against it

That didn’t work as well so we know that this is admin’s login and we can brute force his password so using burp , we can use hydra to brute force admin’s password

But if there isn’t any erorr messages so we need to use somthing that will show the message after being logged in typically logout is shown when you login to a portal or a site

So the hydra command will look like this

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.3 http-post-form '/login.php:username=^USE
R^&password=^PASS^:S=logout' -t 64 -V -I

We can only three options

So let’s intercept it with burp

On chaing the raido parameter's value

Python exists on the machine so we can get a reverse shell

Here only jim folder looks interesting

We can also see test.sh which can be read,write and executed by anyone

Host the file so we can save it on our local machine and then try to bruteforce jim’s password

But jim isn’t in sudoers group

Then I used search to find all files for jim

Now we got charles’s password as well

Doing a sudo -l

This is a tee binary so we can look up on GTFOBINS

So we can add a user in /etc/passwd with our own hash with an id of 0 which is root