CTF WriteupsVulnhub Writeups

DC-3 vulnhub walkthrough

Vulnhub vulnerable machines

DC-3 vulnhub walkthrough


Today, I will share with you another vulnhub walkthrough write-up  for newly published vulnhub VM. The vulnerable VM is DC-3 and you can download it from the following URL : https://www.vulnhub.com/entry/dc-3,312/

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • Enumerating Joomla websites
  • Searching for Joomla exploits using searchsploit
  • Using sqlmap to exploit SQLi vulnerabilities
  • Cracking Joomla passwords using john the ripper
  • Getting reverse shell from Joomla admins
  • Searching for kernel root exploits

After downloading and importing the vulnerable VM to my virtualization software, I started to scan the network to get the IP Address for it. I found that the IP Address is :

By scanning the opened ports, I found that there is one opened port, which is HTTP port (80).

Surfing the website using Firefox, I found that it hosts Joomla CMS. So, I tried using the joomscan tool to enumerate this website.

The tool detected that the Joomla version used is 3.7.0, so I tried to check if there is available vulnerabilities in this version using searchsploit.

The searchsploit returned that this version of Joomla is vulnerable to SQL Injection. So, I opened the exploit file to read more and how to exploit it. I found that this file contains sqlmap command to exploit it automatically.

Using this command, I get the names of the DBs in the back-end mysql server. One of those DBs was “joomladb”, so I used sqlmap again to extract the tables in this database.

The result found that there is a table “#__users” which may contains the login information for this Joomla website. So, I used sqlmap to extract this table columns.

At the end, I used sqlmap to extract the credentials (usernames & passwords) in this website. The result gives me that there is one user in this Joomla website with “admin” username and the password is encrypted. So, I used john the ripper tool to de-crypt it.

Note: I tried to upload the webshell using SQLMAP but I did not find a writable directory to write the shell inside it.

The tool gives me that the password is “snoopy”.

After logging in to the administrator area, I tried to get a reverse shell to the back-end server. So, I moved to the templates section and I created a new file with name “shell.php” and I edited the php-reverse-shell.php shell located in “/usr/share/webshell/php” directory to connect to my Kali Linux machine on port 4444 and I pasted the content and saved it.

Then, I visited the shell.php using Firefox and I got a reverse shell to my Kali Linux machine.

The remaining thing is to escalate my privilege on the server to be root privilege. So, I checked the kernel version and release version for Linux distribution and found that it used “Ubuntu 16.04 LTS” with kernel version 4.4.0-21-generic.

Searching the searchsploit, I found many available kernel root exploits. I tried them and found that 39772.txt is the suitable one.

After opening the exploit file, I found that it contains a URL for the exploit. So, I downloaded it, then unzipped it and copied the exploit.tar file to my Kali Linux Apache server home directory and start the Apache service.

By downloading the exploit to the target server, untar it, compile it using “compile.sh” script, and finally run the generated binary, I got root privilege.

I hope that you learn something new by reading this article. Do not miss to share it with your friends and provide us with your feedback in the comments.

Wait us for the next walkthrough 😀 ..


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button