Post

DC 5

Posted Updated
DC-5 Machine 🖥️
DC-5 Machine 🖥️
By Shivendra Prajapati 3 min read

Description ⤵️

💡 DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).
As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.
And just for the record, there is no phpmailer exploit involved. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I would not give you the answer, instead, I’ll give you an idea about how to move forward.
But if you’re really, really stuck, you can watch this video which shows the first step.
TECHNICAL INFORMATION
DC-5 is a VirtualBox VM built on Debian 64 bit, but there should not be any issues running it on most PCs.
I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there should not be any problems, but I feel the need to throw this out there just in case.
CONTACT
I’m also very interested in hearing how people go about solving these challenges, so if you’re up for writing a , please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you’ve DM’d me if you’d prefer).
I can be contacted via Twitter - @DCAU7

Let’s find the IP Address first »

lftoqyl5.bmp

1

IP → 10.0.2.11

Port Scan Results ➡️

awk4kykf.bmp

1
2
3
4

OPEN PORTS >
80    HTTP
111   RPC
35572 RPC

Web Enumeration ⤵️

9wv0k6r4.bmp

Now I have LFI on page thankyou.php →

np0rhfng.bmp

Now I have to look for changes into the program so I have to access log now and the path for this is →

/var/log/nginx/access.log

159-5.png

Now lets try reverse shell code →

I got in with nc command →

159-6.png

SHELL →

I checked the SUIDS file first →

159-8.png

Now lets find the exxploit about screen as it is common known vulnerability →

159-9.png

Lets try it out now →

159-11.png

Here is the flag ⤵️

159-12.png

Summery Notes ⤵️

→ LFI on thankyou.php

→ Screen 4.5.0 exploit

→ Root

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds Play, DC
LFI SUIDs Screen 4.5.0 PrivEsc DC
This post is licensed under CC BY 4.0 by the author.