DC-8 (Pretty interesting Box)

-

DC-8 (Pretty interesting Box)


This box is fun though as i suppose this was built to cover proof of concept(2FA).Which, is good for OSCP (told by some wise person) so, i decided to do this machine.You can download this from DC-8

Breaching Process 

Finding IP

  • Nmap 

Enumeration

  • Browsing HTTP service
  • Enumerating directory
  • Got drupal (further enumerating version from change.log -> but dead end )

Exploitation

  • sql injection
  • got credentials (hash password)
  • cracking password using john
  • gaining reverse shell from contact form (executing php code in server sending mail)

Privilege Escalation

  • exploiting exim to get root permission (using proof of concept from exploit db)


Let's breach;

First of scanning network using namp.Found ip to be 192.168.234.135


while scanning again from nmap i surf in the browser and found out to be a drupal.


so, the scan was completed and the result from nmap 



There was not so much port open so, though the robots.txt was interesting so i keep remind of that url
the result of robot was



it remind me of doing of hack-os or hack-nos (forgot the name) the version of drupal was showed from CHANGELOG.txt url

i hit it .so, the result was



I believe  there was no any vulnurability.But there was a sqlerror in nid?=1 parameter that was quit interesting.

and now pretty much work was done by sqlmap.so, cool dumping all username and password using sqlmap.you just have to wait and watch 
First of all, database name was showned





and then username and password.However ,there was a huge list of information dumped i scrolled up and up finally..




as the hashed password it was cracked by john.i copied the hashed text in hash.txt and fire-up the john that's it the hashed was cracked in a second.


Here, for login read the robots.txt output

Then i login in drupal panel using the credentials

Boom that was it i got logged in



and i read a blog where having a credentials would give a permission to execute a code (PHP)  and eventually getting reverse shell.

Now let's begin 
From pentest monkey you can get the reverse shell

change the ip and port 





and then make it a PHP code (we are sending a mail and that mail will execute as code and we will get reverse shell)


Then save the configuration : 


After saving form has been updated box will appear as below



click in view then 

i just type random to send email 




nc -lvp 3333

make a reverse shell calll from your machine and then click in submit 
you will get reverse shell


Now, we enter into the server as www-data.The remaining part is to get root access

spawning a bash from python will be better option if you want 

Is there any privilege escalation.so, i check the permission which can be run as root
and
Found the exim4 but i don't know more about exim4 (first time i have heard)




Googling about it i found pretty interesting vulnerability.

JUST WOWWWWW




Now i have to import into the box and run it then boom i will get root.it was well documented. Anybody with programming skills can make hands dirty pretty fast from this exploit.
So, without time consuming i go for hunt
Downloaded the exploit name as exploit.sh 
and fire up the python server 



wget working in victim machine
i downloaded in tmp directory 
then give a executable permission 


As, like the script said give permission and then run a command 

./exploit.sh -m setuid


and after finishing that command then run

./exploit.sh -m netcat

then id wow that's it
we got root


then  head towards the root directory and 
Boom the flag is there



Happy hacking :)

Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

SAR1 VULHUB WALKTHROUGH

-
Image
SAR1 (Walkthrough) This Box Is From Vulhub You Can Download It From  Link .This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE. Breaching Process  Finding IP Netdiscover Enumeration Browsing HTTP  service Nmap scan Enumerating directory using nikto and dirb Found robots.txt and other useful directory Enumerating sar2HTML Exploitation using searchsploit for sar2HTML found RCE Injecting php code using (wget) Got reverse shell using NC Privilege Escalation Found crontab execute shell in 5 min. Add the sudoers permission for www-data. Got root permission  Let's Breach   Using netdiscover  i found the box ip address.The ip address was 192.168.248.136 Then i scan the IP using nmap The command is nmap -sSVC -A 192.168.248.136 | tee nmap.txt Here the scan shows only 80 port which was default page of apache There was no thing to see so,i need to dig d...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more