DC-4

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

http://www.five86.com/dc-4.html

Walkthrough

nmap
alt text

default 80, seems like we need to login as admin :)
alt text

dirb doesn’t reveal much
alt text

decide to specify file type and some more results show up
alt text

checking command.php in repeater with a post method, we see we can list files. however we need to be logged in to do so.
alt text

insert a lot of time wasted on wfuzz, sql injections, gobuster, hydra, nmap, and more enumeration. started some googling and didn’t know you could use hydra to post to http forms. this post helped.

lots of trial and error for the hydra commands/options, but found one that finally worked
alt text

login works and we tryout the command to list files
alt text alt text

checking request in burp repeater we see where we need to update
alt text

with that /etc/passwd is readable and several usernames are found
alt text

checking all users home directories there is a backup passwords file
alt text

seems like the list can be used as a password list, so we build one
alt text alt text

hydra used with jim, password is found and ssh is successful
alt text alt text

find a suid bash script, but it’s nothing. mail file isn’t much, however…
alt text

got to thinking that maybe /var/mail holds…and there’s a message with password for charles
alt text

su as charles and we can sudo program teehee with no password. assumption teehee is really just tee, some testing
alt text

some googling and seems tee can be used to within vi, so we add charles to the sudo group using vi and sudo teehee. good post on it here
alt text

checking the change it worked and logging out and back in as charles we see he’s part of sudo
alt text

quick sudo gives root flag
alt text

Written on April 23, 2019
Share on: