CTF WriteupsVulnhub Writeups

DC-4 vulnhub walkthrough

Vulnhub vulnerable machines

DC-4 vulnhub walkthrough


Today I will share with you a new article for vulnhub walkthrough machines write-ups. The selected machine will be DC-4 vulnhub walkthrough which can be downloaded from the following URL : https://www.vulnhub.com/entry/dc-4,313/

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • Brute-force http logins using Burp Suite intruder module.
  • Finding and exploiting OS command injection vulnerabilities.
  • Create nc reverse shell to the Kali Linux machine.
  • Enumerating users home directories to extract sensitive information.
  • Brute-force SSH service using xHydra tool.
  • Enumerating user sensitive files.
  • Privilege escalation by adding crontab entry.
  • Privilege escalation by adding entry to passwd file as root user.
  • Privilege escalation by adding entry to sudoers file.

After I downloaded and imported the selected target to my virtualization software I performed a ping scan to the whole network and found that the IP address for the target machine is :

After that, I performed a port scanning using nmap and found that there are two open ports for SSH (22) and HTTP (80) services.

When I browsed the IP address for the machine using Firefox, I found that it has a login form.

I tried to perform many attacks like SQLi, OS command injection, … etc but with no success. So, I tried to brute-force the password using “admin” as username. I tried many password lists and used burp suite intruder module for this attack.

I found that the password for the “admin” user is “happy”. So, I used it to login to the admin area (note: you have to hit the login button twice as I checked the source code for the login.php page).

After that, I found a page called “command.php” by analyzing this page I found that it sends a commands which stored in the value of the HTML radios and execute it in the back-end server and view the result for the client.

So, I send the request to the repeater module in burp suite, and then edit the value for the radio parameter to be the reverse shell nc command instead of the ls command and I got a reverse shell to my Kali Linux machine.

After enumerating on the target machine I found a file called “old-passwords.bak” and located in jim user home directory. So, I have two options to find jim password. The first one is by brute-forcing the SSH service (this is the selected option) and the second one is to use sucrack tool (you can find an article about how to use this tool here : https://hackingresources.com/rootthis-1-walkthrough/ )

By using xHydra, I found that the password for jim user is jibril04. So, I used it to login as this user using SSH service.

After logging in to the server, I found that the home directory for this user (jim user) has two files. One of this is a shell script (test.sh) and the other one is the mbox. After viewing the mbox file, it is just a test email!!!

After a lot of enumeration inside the box, I found that the /var/mail directory contains a file called jim which is an email file. This email contains a password for another user called “charles”. So I used these credentials to switch to charles.

After logging it to the second user, I found that this user has a privilege to execute a binary file called teehee as a root user without the need for the password. So, I check this binary and I found that it has many options.

So, I used this binary to escalate my current privilege to be root privilege in many ways.

The first one was by using this command to add an entry to the “/etc/crontab” file which is executed every minute to change the permissions fro the “/bin/sh” binary to be 4777 which means SUID.

The second one was by adding an entry the /etc/passwd file for a new user called “hackingresources” with the same uid (User ID) and gid (Group ID) as root user and this user has no password.

The third and the last technique was by adding an entry to the /etc/sudoers file which will allow jim user to run all the commands as root without the need for the password.

I hope that you learn something new by reading this article. Do not miss to share it with your friends and provide us with your feedback in the comments.

Wait us for the next walkthrough đŸ˜€ ..


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button