In this article, we are going to crack the DC: 9 Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to DCAU. Download this lab by clicking here.

Penetration Testing Methodology

• Network Scanning
  • Netdiscover Scan
  • Nmap Scan
• Enumeration
  • Browsing HTTP Service
• Exploitation
  • Connection via SSH
• Post Exploitation
  • Enumeration for Sudo Permissions
• Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova file) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

netdiscover

We found the target’s IP Address 192.168.1.8. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further.

nmap -A 192.168.1.8

Here, we performed an Aggressive Port Scan because we wanted to grab all the information. After the scan, we saw that port 22 was detected but filtered, this says that we do have the SSH service but something is blocking it from the inside. We have the port 80 with the Apache httpd service. This was the lay of the land. Now let’s get to enumeration.

Enumeration

We started from port 80 and tried to browse the webpage on our browser. With the history of the series of DC Machines, the Drupal CMS is used. But this was not Drupal. I must say there was some work done here to make the webpage look like one provided by the Drupal. Smart Move. We have the Home page depicted in the image given below. We also have the “Display All Records” tab, which consists record of some users. We have the Manage tab, but it requires some credentials to manage users.

During our Enumeration, we didn’t find anything much to move ahead. We had a Form in the Search Tab. Forms are susceptible to Injection Attacks. To test for the SQL Injection on this search attack, we will search for some text inside the search form and capture the request by clicking on Search Button. We will capture the request using the BurpSuite Tool.

We copied the captured request and pasted in inside a text file and named it raj.txt. We did so to use the captured request with the sqlmap. Now we will start the sqlmap to check if the search form is vulnerable to SQL Injection or not. If it is vulnerable, this will enumerate some databases form this machine.

sqlmap -r raj.txt --dbs --batch

After working for some time, sqlmap told us that the search form is vulnerable. We see that the back-end DBMS configured is MySQL 5.0.12. We also see that some databases that are extracted by sqlmap. We have the “information_schema”, “Staff” and “user” named databases.  Now let’s enumerate these databases, as sqlmap doesn’t allow multiple databases at the same time. We will enumerate the Staff Database first.

sqlmap -r raj.txt -D Staff --dump-all --batch

The Staff Database contains 2 tables. First Table consists of email ids, phone numbers, First Name, Last Name and Positions of users and the Second Table consist of a username and a password hash. The username is “admin”. So, it hints at us that this might be an important account.

Before moving on with the hash cracking, let’s enumerate another database as well. The database named is users. We will again use the sqlmap in a similar way that we did earlier but change the database name against the -D parameter as depicted below.

sqlmap -r raj.txt -D users --dump-all --batch

After working on the enumeration, the sqlmap extracts a table named UserDetails from the user database. We have ids, First Names, Last Names, usernames, and passwords. This is important data that could be used further down the road. But let’s get back to our hash.

We went on our favorite hash cracker website, “Hashkiller”. We entered the hash and it told us that the hash is MD5 in nature. The cracked password is “transorbital1”.

Now that we have the admin credentials, let’s look back at the Web Application that we were presented by the Machine. We had a Manage Tab which contains a login authentication page. We enter the credentials that we just cracked. We see that we have some additional features unlocked now like manage and Add Record. But what struck our eye was the footer. It now says that “File does not exist”. This means there must be a file that was being included to the footer which is now missing or misplaced. We know that where we have the include function, we have a probability of finding an LFI Vulnerability.

We try to test it using the most common LFI testing URL parameter. We insert the testing parameter in the URL followed by the welcome.php file. We do add “?file=” so that it can be pointed to a Local File on the Server. We try to look for the /etc/passwd file. We see that it is accessible. This proves that we do have the LFI Vulnerability.

http://192.168.1.8/welcome.php?file=../../../../../../../etc/passwd

We started to enumerate different files on the Target Machine. This is when we stumbled upon the knockd.conf. This means that the is Port Knocking Involved. We see that we have the openSSH configured here with a sequence. We note this sequence and knock the SSH Port In this sequence to get it up and running.

http://192.168.1.8/welcome.php?file=../../../../../../../etc/knockd.conf

Exploitation

We use the knock command for the Port Knocking. This can be done by a bunch of different methods. After Knocking the ports in the sequence, we ran the NMAP scan again to ensure that our knocking worked and SSH Port should be open now. We have the SSH port open. This is our way in.

knock 192.168.1.8 7469 8475 9842
nmap -p22 192.168.1.8

Now that we have the SSH service, we need login credentials to get inside. We tried the same credentials that we used on WebApp but it was a no go. We went back to the user database that we enumerated earlier and made 2 dictionaries for the bruteforce of the SSH Service. We used the usernames and passwords columns form that table for this procedure.

After creating the user.txt and pass.txt dictionaries, we used the hydra tool for the bruteforce against the SSH service on the Target Machine. After some tries, we see that the user janitor is the user with the SSH Access. We now have the proper credentials to login via SSH.

hydra -L user.txt -P pass.txt 192.168.1.8 ssh

We logged in using the following credentials.

Username: janitor

Password: Ilovepeepee

After logging in we being our Enumeration of the Machine for steps through which we can elevate our access on the machine. In the process of Enumeration, we ran the Directory Listing command, and we see that we have a hidden directory labeled “secrets-for-putin”.

ssh janitor@192.168.1.8
Ilovepeepee
ls -al

We traversed inside the newly found hidden directory using the cd command. We again list all the contents inside this directory to find a text file named “passwords-found-on-post-it-notes.txt”. More Passwords, Cool! We read this text file using the cat command.

We went back to our native terminal and edited the pass.txt file and appended it with this newly found passwords. Now with recent developments, we ran the hydra bruteforce again. This time we see that we have some additional valid login credentials.

Post Exploitation

Let’s login using the first credential we found. It was the user fredf. We used the su command on the previous SSH session we had using the following credentials.

Username: fredf

Password: B4-Tru3-001

After logging in as the user fredf, we check if what kind of sudo rights does this fredf user have? We see that it can run a program called test as a root user without entering any password. We ran the test program but nothing happened.

su fredf
B4-Tru3-001
sudo -l

To inspect what went wrong, we went to the location where we see that the test is saved. We found the test.py. On taking a closer look we see that it is a simple data append program. It will take 2 files as parameters and then append the contents of the first file inside the second file.

cd /opt/devstuff/
ls -al
cat test.py

Privilege Escalation

Now to escalate privileges, we thought that we will create a new user with root access and make the entry of the user inside the /etc/passwd file using the test file. Let’s create a user and its password hash. We accomplish this task using openssl. Here we created a user named pavan with the password 123456. We get our hash, let’s move on to the target machine.

openssl passwd -1 -salt pavan 123456

We add username, colons (:), and “:0:0::” to make the entry that could act as a root user. After that, we used the echo command to create a file named in the  /tmp directory named raj. Then we used the test program that we found earlier with the raj file and appended that user hash that we just created inside the /etc/passwd file. After this we login in as the user pavan that we created. We enter the password and we have the root access on the machine.

echo 'pavan:$1$pavan$qv9M3fBmtDPrOTBZflNl81:0:0::/root:/bin/bash' >> /tmp/raj
sudo test /tmp/raj /etc/passwd
su pavan

Accessing the Root Flag

We moved to the home of the root user and found the final root flag. This was a nice machine. We enjoyed every bit of it. We are sad to see this nice series come to end. But we thank the author for putting so much effort into our learning. 

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn