Today, We are going to pwn DC 8 by DCAU7 from Vulnhub
DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This challenge is a bit of a hybrid between being an actual challenge, and being a “proof of concept” as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited. The “proof of concept” portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag. You probably wouldn’t even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it’s definitely there and doing it’s job. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools. For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
Download Link : https://www.vulnhub.com/entry/dc-8,367/
Lets Begin our Nmap Scan
Nmap Scan Results
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA) | 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA) |_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519) 80/tcp open http Apache httpd |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache |_http-title: Welcome to DC-8 | DC-8 MAC Address: 08:00:27:4B:B7:5B (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It is a
While checking the webpage , this look odd
So I tried passing some other id’s and it shows some SQL error
Lets run our SQLmap
It showed us that there are 2 available databases in the target machine which are:
Lets see whats in the database of
-D DB DBMS database to enumerate --tables Enumerate DBMS database tables
We found a table named ‘users’.
-T TBL DBMS database table(s) to enumerate
It looks like there are some name and pass so lets dump them!.
We found users and hashes
Users - admin,john
Lets try crack them using
We found a password
I logged in with
Now its time to get Reverse shell. I figure out that we need to edit the
form-setting and change the
text format to
Once I submit
Listening on my machine , I got the shell
I uploaded my Linux Enumeration Script
Found some SETUID Bit
exim4 is unusual
Searchsploit shows lot of exploits
so lets check its version
And Found an exploit for that version!
I uploaded it in the victim machine and tried running it but it shows some
bad interpreter so i googled about it
Lets try this
sed -i -e ‘s/\r$//’ script.sh
We Got Root!