Writeup - DC-9 (VulnHub)
This is a writeup for the DC-9 machine from the VulnHub site.
First, let's start with a scan of our target with the following command:
nmap -sV -T4 -Pn 192.168.56.101
One TCP ports are discovered:
- 80/tcp : HTTP web server (Apache 2.4.38)
At first I start by making a scan of the website folders.
Quite a lot of different pages, I start by making a capture of a request sent by the
search.php page with the help of Burp.
I then run a SQL vulnerability scan with
sqlmap -r request.txt --dbs --batch
The target is usable, I find 3 databases in the result of the command. I start with
Many different credentials... Looking in the
Staff database, I find an admin password hash.
So I go on crackstation to try to find it.
I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page
manage.php, there is an error message :
File does not exist. I wonder if there is not an argument. After some test I find that there is a
file argument. This allows me to find the following file:
This is a file that allows you to configure port knocking to unblock the SSH port!
So I try to realize the sequence with the following commands:
nmap -Pn --max-retries 0 -p 7469 192.168.56.101 nmap -Pn --max-retries 0 -p 8475 192.168.56.101 nmap -Pn --max-retries 0 -p 9842 192.168.56.101
And indeed it worked, I now have access to the SSH port:
In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with
After a few minutes
hydra finds several combinations that work. It is by connecting as a
janitor that I finally find an interesting file:
A list of passwords, so I add them to my existing list and I restart
A new combination is found! So I connect in SSH.
I start by checking the sudo permissions of my user.
By executing the script I understand that it uses two arguments: one in reading and the other in writing.
[email protected]:~$ sudo /opt/devstuff/dist/test/test Usage: python test.py read append
I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:
[email protected]:~$ openssl passwd -1 -salt d3vyce azerty $1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1
I add the line of my user in a temporary file :
[email protected]:/opt/devstuff/dist/test$ cat ~/user.txt d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash
Then I add my user with the following command:
sudo ./test ~/user.txt /etc/passwd
Finally I change user:
I now have a root shell on the machine!
To patch this host I think it would be necessary to perform a number of actions:
- Update the site to avoid SQL injection
- Do not leave an argument
fileif not used
- Do not store clear passwords in a database
- Do not let a script run in root if not necessary