Dc-3 is a another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.
The machine is available in public domain through the following link:https://download.vulnhub.com/dc/DC-3-2.zip
We start our hunting through port scanning, with the help of nmap tool we find port 80 is op
In order to find hidden directories we are using gobuster and seclists but after the scan we had only find a new administrator login page.
Since we hadn’t got much information we just check the readme.txt file, there we found that the machine runs on joomla3.7.0, so with the help of Searchsploit we check whether any possible know exploits are there or not.
We found that there is a possible know exploit. There is a vulnerability in index.php and we are exploiting that vulnerability using sql injection. Before that we need to download that particular file.
Searchsploit -m 42033.txt
From the file we got that injection command, and dump the database
We found a database named joomladb, so our next step is to dump all the tables in the particular database and check for table named user, for that use the –dbs joomladb along with the previous sql injection.
We got a table named #__users, next we need to dump the name and passwords from the table for that use --dbs joomladb -T ‘#__users’ -C name, password –dump along with the sql injection.
We got the username and password for admin user but since the password is in hash format we need to use john the ripper to decode it.
With the help of john the ripper and wordlist rockyou.txt we got the password snoopy.
Finally we get inside the website as admin.
There is a folder named templates in the menu bar, it contains 2 folders and one is named beez4 templates. The particular templates contains a file named index.php, so we manipulate the particular file with php_reverse_shell code from /usr/share/webshells/php in our local machine.
After saving the file and triggering the error we open the netcat listener to get the reverse shell connection.
And we got it.!!
Since the shell doesn’t contain tty shell we need to spawn it using python code
Since sudo -l ask for password, we are using another method for privilege escalation. By using linpeas.sh we are going to found the vulnerability in this particular server. For that download and clone linpeas.sh and start a python server in our local machine, then by using curl we are going to execute the linpeas.sh in Dc-3 machine, and found a vulnerability.
After some research work, we found a github code for this particular vulnerability. So we are cloning the vulnerability in Dc-3 machine. So to execute the file we need to clone the file in /var/www/html.
So we successfully cloned the file and it contains file name expl.sh which is our exploit file and we are executing the file to get root privileges.
We successfully done the exploit and get the root access.
Pwned.!!!
Comentários