Vulnhub- DC 4

4 min readApr 13, 2021


Hey everyone I hope you are doing good,this is a write up for DC-4 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine


rustscan -a -- -A -sC -sV                                                                                           
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp6/VowbK8MWfMDQsxHRV2yvL8ZO+FEkyIBPnDwTVKkJiVKaJMZ5ztAwTnkc30c3tvC/yCqDAJ5IbHzgvR3kHKS37d17K+/OLxalDutFjrWj
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIbZ4PXPXShXCcbe25IY3SYbzB4hxP4K2BliUGtuYSABZosGlLlL1Pi214yCLs3ORpGxsRIHv8
| 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcvQZ2DbLqSSOzIbIXhyrDJ15duVKd9TEtxfX35ubsM
80/tcp open http syn-ack ttl 64 nginx 1.15.10
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 08:00:27:2A:E7:75 (Oracle VirtualBox virtual NIC)


It looks like login page , so let’s default credentials like admin:admin and it didn’t work, I intercepted the request with burp

Saved it in a file and ran sqlmap against it

That didn’t work as well so we know that this is admin’s login and we can brute force his password so using burp , we can use hydra to brute force admin’s password

But if there isn’t any erorr messages so we need to use somthing that will show the message after being logged in typically logout is shown when you login to a portal or a site

So the hydra command will look like this

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form '/login.php:username=^USE
R^&password=^PASS^:S=logout' -t 64 -V -I

We can only three options

So let’s intercept it with burp

On chaing the raido parameter's value

Python exists on the machine so we can get a reverse shell

Here only jim folder looks interesting

We can also see which can be read,write and executed by anyone

Host the file so we can save it on our local machine and then try to bruteforce jim’s password

But jim isn’t in sudoers group

Then I used search to find all files for jim

Now we got charles’s password as well

Doing a sudo -l

This is a tee binary so we can look up on GTFOBINS

So we can add a user in /etc/passwd with our own hash with an id of 0 which is root




Smol Pentester| OSCP | CTF Player | UwU