GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - DC-9 (VulnHub)
4 min read

Writeup - DC-9 (VulnHub)

Writeup - DC-9 (VulnHub)
Photo by Emanu / Unsplash

This is a writeup for the DC-9 machine from the VulnHub site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

One TCP ports are discovered:

  • 80/tcp : HTTP web server (Apache 2.4.38)


At first I start by making a scan of the website folders.

Quite a lot of different pages, I start by making a capture of a request sent by the search.php page with the help of Burp.

I then run a SQL vulnerability scan with sqlmap.

sqlmap -r request.txt --dbs --batch

The target is usable, I find 3 databases in the result of the command. I start with users :


Many different credentials... Looking in the Staff database, I find an admin password hash.


So I go on crackstation to try to find it.

I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page manage.php, there is an error message : File does not exist. I wonder if there is not an argument. After some test I find that there is a file argument. This allows me to find the following file:

File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

This is a file that allows you to configure port knocking to unblock the SSH port!

So I try to realize the sequence with the following commands:

nmap -Pn --max-retries 0 -p 7469
nmap -Pn --max-retries 0 -p 8475
nmap -Pn --max-retries 0 -p 9842

And indeed it worked, I now have access to the SSH port:

In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with hydra :

After a few minutes hydra finds several combinations that work. It is by connecting as a janitor that I finally find an interesting file:

A list of passwords, so I add them to my existing list and I restart hydra :

A new combination is found! So I connect in SSH.

Privilege escalation

I start by checking the sudo permissions of my user.

By executing the script I understand that it uses two arguments: one in reading and the other in writing.

fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test 
Usage: python read append

I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:

fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty

I add the line of my user in a temporary file :

fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt 

Then I add my user with the following command:

sudo ./test ~/user.txt /etc/passwd

Finally I change user:

I now have a root shell on the machine!


To patch this host I think it would be necessary to perform a number of actions:

  • Update the site to avoid SQL injection
  • Do not leave an argument file if not used
  • Do not store clear passwords in a database
  • Do not let a script run in root if not necessary