IT VN

Information Technology | Softwares - Graphics - Programming - Hacking - Security

Oct 3, 2019

Home » , » DC8 Vulnhub Walkthrough

DC8 Vulnhub Walkthrough

DC8 VM is made by DCAU, this VM is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.
You can download the lab file from http://www.five86.com

 let's go
Network Scanning
To show up IP of the target, use netdiscover and we got target's IP is 192.168.5.9
nmap -A 192.168.5.9

 We got ssh on port 22 and port 80 open which is hosting Apache httpd service.

 Web Enumeration
Open the index page we have a welcome page and some link on the left.

Go to these link and we can see URL with nid so we try to add a character (') and get an error message.

Now, try to run sqlmap and we got 2 available databases: d7db, information_schema

To enumerate the tables, we type: sqlmap -u 192.168.5.9/?nid=1 -D d7db --tables

We can see the table named "users", this table maybe have the information we are looking for. To show columns of table: sqlmap -u 192.168.5.9/?nid=1 -D d7db -T users --columns

Next, to dump users tables we type sqlmap -u 192.168.5.9/?nid=1 -D d7db -T users --dump

Now we got hashes password and username, we can try John The Ripper to crack the hashes.
We got password = "turtle" and username: "john"

Next we have to find the login page, let's try brute force with dirb

We found a "user" page and it requires login credentials, login with john and password that we just cracked

After logged in, look around and we found a form field at the contact part, webform tab. At Form settings, there had an option to change the text format, we can change it to PHP code and put a reverse shell to generate a shell over the target machine.

Back to node, select our webfrom we just created. At View tab, Submit a mail to execute of our php reverse shell script and we received the shell from the target machine.


 Escalate Privilege
Time to escalate privilege on this machine, now we are user "www-data".
After finding the SUID permissions and checking around, we found a service named "exim4" with version 4.89
Then, we search on web for detail of Exim and found an Local Privilege Escalation Exploit at version 4.89, readmore
Next, go to /tmp directory to transfer exploit file and /tmp has the writable permission, edit our IP address and the port which we will be using to capture the netcat session in file.sh. Then use the wget command transfer our file, give permission and execute it.
This script invoked a netcat shell to our machine IP on port 1234

It’s time to run a listener
And we owned root!
Share:

About Us

IT