Categories

Archives

CTF Challenges

DC-4 Vulnhub Walkthrough

Today we are going to take another boot2root challenge known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here

Security Level: Beginner

Penetrating Methodology

Scanning

  • Discovering Targets IP
  • Network scanning (Nmap)

Exploiting

  • Surfing HTTP service port
  • HTTP Login credential Bruteforce (Burpsuite)
  • Command Injection
  • SSH Login Credentials Bruteforce (Hydra)

Lateral Movement

  • Logging into SSH and Enumerating Directories
  • Obtain credentials in /var/mail directory

Privilege Escalation

  • Check Sudo rights
  • Adding new user /etc/passwd with sudo
  • Access root directory
  • Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.

netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

nmap -A 192.168.1.101

Exploiting

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser and found an Admin Information Security Login page. We clearly need to find credentials for it.  Let’s work on that.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Targets in the browser and found the Admin Information Security Login page. Now credentials need to be found for login, Let’s work on this.

We Fired UP!! burpsuite using rockyou.txt to get valid login.

Username- admin

After bruteforcing, we have found the password for Admin i.e

Password- happy

We have successfully logged in as Admin. Under system tools, the hyperlink command looks suspicious here. So, let’s check it out.

Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.

So, we captured the Webpage request using Burpsuite and Send the request to the repeater. Here we can make the desired changes to the request and check out its response.

Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

Exploring the home directory for user Jim, after that, we checked out the backups folder.

We have found a old-passwords.bak file is a backup password file.

Exploring the contents of the file, we found a list of passwords. They might come in handy later.

We thought of checking /etc/passwd is readable or not and found some useful usernames.

We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.

hydra -L users -P passwords 192.168.1.101 ssh

So, the credentials found:

Login- jim

Password- jibril04

Lateral Moment

Logging into ssh using the credentials.

Username- jim
Password- jibril04
ssh jim@192.168.1.101

While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.

ls
cat test.sh
cat mbox

when I open mbox, I saw a test mail in this, send by root to jim.

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Username- Charles
Password- ^xHhA&hvim0y

Privilege Escalation

Let’s login into charles with password ^xHhA&hvim0y.

su charles

After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that, we have added raaj in the etc/passwd using echo and teehee as shown.

sudo -l
echo "raaj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.

su raaj
cd /root
ls
cat flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

4 thoughts on “DC-4 Vulnhub Walkthrough

  1. great , I just wonder how do you know teehee does this ;
    echo “raaj::0:0:::/bin/bash” | sudo teehee -a /etc/passwd

    is there any command called teehee in Linux or ?

  2. Aydin Ucar:
    I was thinking the same thing. So after I played around with teehee a bit I used the command

    teehee –help

    and got this information

    Usage: teehee [OPTION]… [FILE]…
    Copy standard input to each FILE, and also to standard output.

    -a, –append append to the given FILEs, do not overwrite
    -i, –ignore-interrupts ignore interrupt signals
    -p diagnose errors writing to non pipes
    –output-error[=MODE] set behavior on write error. See MODE below
    –help display this help and exit
    –version output version information and exit

    MODE determines behavior with write errors on the outputs:
    ‘warn’ diagnose errors writing to any output
    ‘warn-nopipe’ diagnose errors writing to any output not a pipe
    ‘exit’ exit on error writing to any output
    ‘exit-nopipe’ exit on error writing to any output not a pipe
    The default MODE for the -p option is ‘warn-nopipe’.
    The default operation when –output-error is not specified, is to
    exit immediately on error writing to a pipe, and diagnose errors
    writing to non pipe outputs.

    GNU coreutils online help:
    Full documentation at:
    or available locally via: info ‘(coreutils) tee invocation’

  3. when i run the DC4 on virtual box it is asking for dc-4 login … what is the login and password ?

    1. Hey broo! your task is exploit the box, and then you can find way to gaining access to system with information you get

Comments are closed.