DC-4 Walkthrough

Introduction

Today we're going to be doing a boot2root pentest walkthrough of the DC-4 machine, created by DCAU, and hosted on https://www.vulnhub.com/entry/dc-4,313/ .  For this walkthrough, we'll be using two virtual machines.  a Kali Linux VM as an attacking system, and the DC-4 VM as the target system.  

Locating the Target

Let's start the pentest by locating the target system on the network by running netdiscover from our attacking system. 

Looks like our target is at 10.0.2.18.

Scanning and Enumeration

We start our scans by finding open ports using nmap.

TCP ports 22 and 80 are open.  Next, we'll nmap again to get more details.

Not much luck here.  We also run Nikto and dirbuster, but without much success.  Time to take a look at what's on the webserver.

Finding a Way In

We first check for SQL injection possibilities on this login page, but it doesn't seem to work.  At this point, we decide it's time to brute force the login using burp suite.

The first part of the attack is to capture an HTTP request with burp suite and send it to the Intruder tab.  From there, we set the password list we will use for the attack and then have burp suite attack the website by sending each iteration of the admin username and a different word from our password list.

After the process is finished, we look at the results of the different passwords, and see that from the length of the response code from the target webserver, "happy" is our match.  We use the paired credentials to login to the admin section of the website, and see that there is a link to command.php, a web-app that lets us list files, gives us disk usage info, or gives us disk free space info.  We try the "list files" function, which gives us output that looks like this.

The syntax here looks like typical Linux commands, so this app may be vulnerable to command injection.  We can test this by capturing an HTTP request in burp suite, and changing the information we're sending like so.

The results of our modified request looks like this.

This shows that this web-app is indeed vulnerable to command injection, and that means we can get a reserve shell on the target system by this method.  The first step to this is to setup a netcat listener on our attacking system.

Then we use burp suite to send another modified HTTP request with the following input.

Which opens up a shell on our attacking system.  We upgrade our shell to a TTY shell using a Python one-liner command, then we set about doing some snooping on the target system.

Privilege Escalation

We manage to find a few items in the directory of a user named jim, which includes this file with old passwords.

Our next step is to upload the passwords file to our attacking system.  This requires us to setup another netcat listener on the attacking machine, then use netcat to upload the file like so.

With this list of jim's old passwords, we can try to brute force jim's SSH login using hydra.

We use jim's credentials to SSH login to the target system.

Looks like we have mail.  The mail command will let use access our personal email.

With this new information, we can switch users to charles and see if he has better privileges on the system.

Charles has root privileges when using the teehee program, but what is teehee?  There is no man or help pages for this program, but we get the real answer when we try to determine which version of teehee the system is running.

So teehee is just a renamed tee program, which means we can use it to append or overwrite information in files that would normally require root access to modify.  So naturally, we'll use it to give charles root access by overwriting the /etc/sudoers file.

Now that we're root, all we have to do is cat out the flag file, and we're done.  Let's try the root directory.

Summary

After initial scans, we found that we didn't have much to go on, aside from the webserver admin login page, which we broke into using brute force with burp suite.  Once logged in, we found that the web-app inside vulnerable to command injection, which we used to gain a foothold on the target.  We managed to find a password list in the file system, which allowed us to brute force SSH credentials for a user, and once logged in as that user, found a document with password information for another user.  That user had elevated privileges when using the tee program, which we used to overwrite the sudoers file, gain root access, then cat out the flag.

Finish
















































Comments

Post a Comment

Popular posts from this blog

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more