Post

DC : 9

Posted Updated
DC-9 Machine 🖥️
DC-9 Machine 🖥️
By Shivendra Prajapati
3 min read

Description ⤵️

💡 DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I would not give you the answer, instead, I’ll give you an idea about how to move forward.
TECHNICAL INFORMATION
DC-9 is a VirtualBox VM built on Debian 64 bit, but there should not be any issues running it on most PCs.
DC-9 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there should not be any problems, but I feel the need to throw this out there just in case.
CREDITS
A big thanks goes out to the members of @m0tl3ycr3w.
CONTACT
I’m also very interested in hearing how people go about solving these challenges, so if you’re up for writing a , please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you’ve DM’d me if you’d prefer).
I can be contacted via Twitter - @DCAU7

Let’s find the IP Address first »

163-1.png

1

IP : 10.0.2.15

Port Scan Results ➡️

163-2.png

1
2
3
4

OPEN PORTS >
80   HTTP
Filtered PORT >
22   SSH (I think I have to open it through knocking ports )

Web Enumeration ⤵️

I will be enumerating port 80 first and I got to this drupal static site.

163-3.png

163-4.png

Now lets deal with search.php file from burpsuite →

163-5.png

Now save this request as results.txt and used Sqlmap Tool to figure out the sqli type and to extract some data →

163-6.png

163-7.png

lets dig deeper →

1
2

command :
sqlmap -r results.txt -D Staff -T Users -

163-8.png

1

admin : transorbital1

163-9.png

163-10.png

After login with admin credentials I got this page → which says file not exist.

163-11.png

I got LFI on welcome.php page.

163-12.png

Now lets check for knocked ports which will open ssh port on /etc/knockd.conf

163-13.png

Lets knock the ports →

1

sudo knock 100.2.16 7469 8475 9842

163-14.png

Now lets check the result with scanning the network again with nmap Tool →

163-15.png

Now lets try hydra for ssh brute-force →

I have saved username , passwords that I got from the sqli →

163-16.png

1
2
3
4
5

chandlerb : UrAG0D!

joeyt : Passw0rd

janitor : Ilovepeepee

SHELL ➡️

163-17.png

I got some new passwords !

163-18.png

Now use this password to ssh again for any other results →

163-19.png

1

fredf : B4-Tru3-001

163-20.png

163-21.png

163-22.png

Since this file is reading the content of a file and writing on another file →

So lets append a password inside the /etc/passwd file →

163-23.png

163-24.png

163-25.png

163-26.png

163-27.png ___

Summery Notes ⤵️

→ Very much hurdle came like sqlmap with request , knocking , test.py

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds, Play, DC
Password Bruteforce Knocking Ports LFI Sqlmap PrivEsc DC
This post is licensed under CC BY 4.0 by the author.