DC-3 Walkthrough

Introduction

Today we're going to do a boot2root pentest walkthrough of the DC-3 machine which was created by DCAU, and is hosted at https://www.vulnhub.com/entry/dc-32,312/ . For our pentest, we'll be using two virtual machines, our Kali Linux attacking machine, and the DC-3 target machine.

Locating the Target

The first thing we'll do is locate the target on our network, using netdiscover:


Looks like 10.0.2.14 is our target.

Scanning and Enumeration

Let's start with a quick nmap scan to see which TCP and UDP ports are open on the target machine.


Looks like there's only TCP port 80 open, so we'll do a more in-depth scan using nmap.


Joomla is an unusual finding on this system, and there may be some unique exploits we can run against it.

Next, we run a Nikto scan against the target's web server.


The discovery of the admin page is very nice if we can find admin credentials somewhere.  Lastly, our Nessus scans revealed more info about the Joomla service.


Finding a Way In

After a quick search online for "Joomla 3.7.0", we found an entry on www.cvedetails.com that gives us some direction.


There's a Metasploit module that gives us remote code execution on systems running Joomla 3.7.0.  We open up our MSF console and navigate to that module, then check the options for the settings need to use it.

The only required setting we need to supply is the remote host IP address, so after we plug that in, we run the module, but....

The module needs to have an admin or super user logged in to work properly.  There's an nmap script that can brute-force credentials for Joomla, so we'll run that next.

Lots of results, but we just need the first account to log in as the administrator and use the Metasploit  module.  We navigate to the web server's admin page and login using the credentials we found.

Now that there's an admin logged into the Joomla app, we can go back to the Metasploit module and run it again.

The module worked, and we have a Meterpreter shell now.

Privilege Escalation

Now that we're on the target system, we want to confirm the OS version the system is running, so we can look for a privilege escalation exploit.

We can confirm from a couple of sources that our target is running Ubuntu 16.04, and after a bit of searching, we find an exploit that matches it.

After downloading the file to our attacking system, the next step is to upload it to the target.  We can use Meterpreter to upload it to the target's /tmp/ directory, where we have write permissions.  After we drop into a regular shell, we use a Python one-liner command to upgrade to a TTY shell, then navigate to the /tmp/ directory where the exploit file is.

To prepare the exploit for use, we unzip and untar the compressed file, then use a script file to compile it.  

Sadly, we see a couple of warning messages while the exploit compiles.  Hopefully it's still usable.

Luckily, the exploit worked, despite the warning messages.  We have root access now.

The last thing for us to do is secure the target's flag, which the documentation indicates is in the /root/ directory.

Summary

After our initial scans, we found that the Joomla service was vulnerable, so we searched online and found a Metasploit module that allows us to gain a remote shell on the target, but we were missing admin access on the Joomla service in order to use it. After brute-forcing admin credentials for Joomla, we had all the pieces to run the Metasploit module and gain a remote shell. Once inside, we confirmed the target's OS version, found a privilege escalation exploit for the OS, uploaded it to the target, and executed it, securing us root access.

Finish


















Comments

Post a Comment

Popular posts from this blog

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more