This is a walkthrough for the DC 9 from the DC vulnhub series, this machine was a real challenge which involved a port which was filtered and getting the admin hash via SQL injection , then logging in we could find the LFI parameter to get port knocking sequence then further dumping the database to passwords for user and brute forcing them to login.
NMAP
nmap -sC -sV 192.168.1.7Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-16 09:31 PKT
Nmap scan report for 192.168.1.7
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 08:00:27:1B:8F:38 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
Going to Display All Records
we can see information of users
We can a login page , lets’ try to do some basic sqli stuff
I tried admin ' or 1=1 # , admin' or 1=1 -- , but both failed
Going over to search.php we can see that it searches for a name so let's supply the name mary since information for that user exists
Here let’s perform a query mary' and 1=1 # to see if it still returns us information of mary
It does , so here we can actually sqli but first we need to identify how many columns are there to do that we are going to utilize order by <number> which will sort by value of the number of column of provide , we will keep increasing the number we get no response so,
mary' order by 1 #
I kept getting result till till 6 columns but after that I get no response
Which means we have 6 columns so we can now perform sql injection
mary' union select version(),user(),database(),4,5,6 #
This machine is using MariaDB, user for the database client is dbuser and the database name is Staff , now we need to extract table name ,then the columns and the exfiltrate the data
We can only perform a query to give us all the names for database
mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata #So there two databases but right now let’s just focus on Staff
mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() #We have two tables , StaffDetails and Users so let's see column names for Users table
mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' #We have the column names , we are interested in username and password so let’s just extract the data
And we got the user name password hash , this could have been done with sqlmap easily by just intercepting the request from search.php and saving it to a file and running it against sqlmap
Let’s visit crackstation
As soon as we log in we’ll get an error
I tried the parameter file and got the contents of /etc/passwd
So I copied the results in a file and grab the users only
Now remember that we had 2 databases Staff and users , let's use sqlmap to dump data from users database
I have already saved the usernames ,let’s just grab the password and start brute forcing against SSH
But ssh is filtered so we are going to first see if we can find a port knocking configuration or not
Now can perform port-knocking to open ssh port
We found 2 passwords with brute forcing
After logging in with janitor we can find more passwords
Let’s add those passwords and again try brute forcing
Switching to user fredf we can that can run the file test as sudo
It’s a binary , let’s try to execute it and see what happens
Weird it says test.py which is a python file which reads and appends so we need to find that python file
And we found it
So going through the source code , it’s going to take 2 arguments as file , it’s going to read the contents from first file store it in variable then it’s going to append the contents in the file we specify we could exploit this by first adding a root user in a file then reading the contents from there and appending it to /etc/passwd file
Now let’s see if this actually worked or not
This has added a user so we can switch to this user and become root
