DC-3

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

http://www.five86.com/dc-3.html

Walkthrough

nmap
alt text

default 80, favicon tells me joomla
alt text

readme confirms and version is 3.7
alt text

quick google we find sqli for this version
alt text

run sqlmap and success, dbs found
alt text alt text

did some other scans to determine user table name

adjust sqlmap to read the users table and we find the columns
alt text alt text

adjust sqlmap again to dump the database table and we find admin hash
alt text alt text

throw hash at john and we find password
alt text

login to joomla as admin
alt text

update index.php of beez3 template with php reverse shell code
alt text

setup our listener and browse to template page and we have reverse shell
alt text

break out of jail for ease
alt text

after much enumeration, i figured kernel exploit was the only thing left. started to google on system info
alt text

after some trial and error, edb 39772 worked
alt text

download, unzip and copy exploit over to be downloaded to victim system
alt text alt text

on victim system we get exploit ready
alt text

run exploit and get root
alt text

root flag
alt text

Written on April 21, 2019
Share on: