CTF WriteupsVulnhub Writeups

DC-5 vulnhub walkthrough

Vulnhub vulnerable machines

DC-5 vulnhub walkthrough


My new write-up will be for DC-5 machine from Vulnhub which can be downloaded from the following URL : https://www.vulnhub.com/entry/dc-5,314/

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • Fuzzing web pages to find vulnerabilities.
  • Exploiting LFI vulnerability.
  • Poisoning the log files with malicious PHP code.
  • Getting reverse shell using LFI vulnerability.
  • Privilege escalation using SUID binaries.

As usual, after downloading and importing it to the virtualization software I have to get its IP address. I found that the IP address is :

After that, I performed a port scan using nmap to find the open ports and the running services. i found that there are only two open ports (80 for HTTP service and 111 for RPC service). So, I decided to start enumerating the HTTP service by visiting it using Firefox.

After visiting it, I found one interesting page which is “thankyou.php” which takes many parameters.

I tried to play with them but with no success. So, I decided to fuzz it to find if this page accepts other hidden parameters. To do that, I used wfuzz tool. I tried to fuzz different types of attacks such as Injection, LFI, … etc. I found that this page accepts a parameter called “file” and this parameter is vulnerable to LFI vulnerability.

So, I tried to view many files like : /etc/passwd, /etc/shadow, & /var/log/nginx/access.log. I found that some of them can be viewed (passwd & access.log).

I tried to perform RFI attack but with no success. So, I tried many ways to gain a shell access on the back-end server and finally got it. I got the shell access by using log poisoning.

I poisoned the access.log file with a malicious PHP code to create a reverse shell using nc. The PHP code was injected in the user-agent field of the access.log file.

Once loading the access.log file again using the LFI I got a reverse shell to my Kali Linux machine. After that, I checked the binaries that has SUID bit. I found an interesting one (screen-4.5.0). So, I used searchsploit utility to find if there is a root exploit for this binary and I found that it is vulnerable to root exploit 😀

I tried to move the shell script exploit to the target machine and execute it but the exploit not work. So, I opened it and found that it tries to create some files and write some data inside them.

What I did was manually creating those files and save the data inside them as follows:

Then, I compiled both “rootshell.c” and “libhax.c” files and move them with “41154.sh” file to the target machine as follows:

Finally, I change the permission for the “41154.sh” file to be executed script and run it to get the root privilege and read the file contains the flag.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Back to top button