🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. Vulnhub Walkthroughs
  2. DC Series

DC-4

https://vulnhub.com/entry/dc-4,313/

PreviousDC-3NextHackMyVM

Last updated 1 year ago

Was this helpful?

DC-4 also has 1 flag.

Browsing to port 80 We don't get much information.

Ran a nikto scan and it appears to be running wordpress.

I think we are going to have to bruteforce the login page.

Startup burpsuite then go to the Proxy tab and turn on Intercept and open the browser.

Head to the website and type admin for the username. Since we don't know the password (Really don't know the username we are just guessing) we need to just press submit.

Back in the proxy tab Right click and Send to Intruder.

In the Intruder tab we can setup the payload. Add a payload position by clicking next to password= and then click Add$

Now in the Payloads tab set Payload type: to Runtime file and then select /usr/share/wordlists/metasploit/unix_passwords.txt as your file and press Start attack. I went with this wordlist because it is small and with the community edition of burp it would take probably days to go through the rockyou.txt wordlist. Go get some coffee, Seriously. Even with a small wordlist Its gonna be awhile. Maybe take a nap.

Since I only have Community Edition of burpsuite I went ahead and used wfuzz to bruteforce /login.php with the same wordlist. Burpsuite took almost an hour! wfuzz was just a few seconds.

wfuzz -c -z file,/usr/share/wordlists/metasploit/unix_passwords.txt --hh 206 -d "username=admin&password=FUZZ" -u 10.6.6.13/login.php

--hh hides 206 characters. We want to see something other than 206.

Read the man page for wfuzz or wfuzz -h

After logging in and going to /login.php we are presented with

So back to burpsuite I presume. Nikto did say something about a wp-config file that had the credentials so lets see if we can find that file.

After looking around I found an "old-passwords.bak" file. I then used cat to view the contents of that file. I'm guessing we can bruteforce ssh with the username jim, or sam, or charles. Well lets give it a try!

We can use Hydra to bruteforce ssh as follows:

hydra -L users.txt -P password.txt ssh://10.6.6.13

Looking around a little bit and trying different commands I found that jim had mail.

Password sharing. Ok so Charles might be an admin. Let's su to charles and see what we can find.

Now that we are logged in with Charles lets run sudo -l

Alright lets see what teehee is.

Hmm didn't know about this program. So how can we use it to gain root privileges?

Well according to the output it looks like teehee copy standard input to a file. So we can append a user as root to the /etc/passwd file. First lets cat the /etc/passwd file to see the format.

Yes!! We have rooted another machine in this series.

All we need to do is change the username and remove the x. The x is a place holder for the password that gets stored in /etc/shadow. is a good article on /etc/passwd.

Here
hmmm
umm