top of page
Search

#Dc-3

  • Writer: bikupothen1615
    bikupothen1615
  • Mar 11, 2022
  • 2 min read

Dc-3 is a another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.

The machine is available in public domain through the following link:https://download.vulnhub.com/dc/DC-3-2.zip

ree

We start our hunting through port scanning, with the help of nmap tool we find port 80 is op

ree

In order to find hidden directories we are using gobuster and seclists but after the scan we had only find a new administrator login page.

ree

ree

Since we hadn’t got much information we just check the readme.txt file, there we found that the machine runs on joomla3.7.0, so with the help of Searchsploit we check whether any possible know exploits are there or not.

ree

ree

We found that there is a possible know exploit. There is a vulnerability in index.php and we are exploiting that vulnerability using sql injection. Before that we need to download that particular file.

Searchsploit -m 42033.txt

ree

From the file we got that injection command, and dump the database

ree

ree

We found a database named joomladb, so our next step is to dump all the tables in the particular database and check for table named user, for that use the –dbs joomladb along with the previous sql injection.

ree

We got a table named #__users, next we need to dump the name and passwords from the table for that use --dbs joomladb -T ‘#__users’ -C name, password –dump along with the sql injection.

ree

We got the username and password for admin user but since the password is in hash format we need to use john the ripper to decode it.

ree

With the help of john the ripper and wordlist rockyou.txt we got the password snoopy.

Finally we get inside the website as admin.

ree

There is a folder named templates in the menu bar, it contains 2 folders and one is named beez4 templates. The particular templates contains a file named index.php, so we manipulate the particular file with php_reverse_shell code from /usr/share/webshells/php in our local machine.

After saving the file and triggering the error we open the netcat listener to get the reverse shell connection.

And we got it.!!

ree

Since the shell doesn’t contain tty shell we need to spawn it using python code

ree

Since sudo -l ask for password, we are using another method for privilege escalation. By using linpeas.sh we are going to found the vulnerability in this particular server. For that download and clone linpeas.sh and start a python server in our local machine, then by using curl we are going to execute the linpeas.sh in Dc-3 machine, and found a vulnerability.

ree

After some research work, we found a github code for this particular vulnerability. So we are cloning the vulnerability in Dc-3 machine. So to execute the file we need to clone the file in /var/www/html.

ree

So we successfully cloned the file and it contains file name expl.sh which is our exploit file and we are executing the file to get root privileges.

ree

We successfully done the exploit and get the root access.

ree

Pwned.!!!

 
 
 

Recent Posts

See All

Comments


bottom of page