- Published on
Vulnhub - DC 8
Today, We are going to pwn DC 8 by DCAU7 from Vulnhub
Description
DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited. The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag. You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools. For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
Download Link : https://www.vulnhub.com/entry/dc-8,367/
Lets Begin our Nmap Scan
Nmap Scan Results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
| 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open http Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 08:00:27:4B:B7:5B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP
It is a DrupalCMS
While checking the webpage , this look odd /?nid=
So I tried passing some other id's and it shows some SQL error 
SQL Injection
Lets run our SQLmap
It showed us that there are 2 available databases in the target machine which are:
1.d7db
2.information_schema
Lets see whats in the database of d7db
-D DB DBMS database to enumerate
--tables Enumerate DBMS database tables
We found a table named ‘users’.
-T TBL DBMS database table(s) to enumerate
It looks like there are some name and pass so lets dump them!.
We found users and hashes
Users - admin,john
Lets try crack them using john
We found a password turtle
I logged in with john:turtlebr/ 
Getting Shell
Now its time to get Reverse shell. I figure out that we need to edit the form-setting and change the text format to php code 
Once I submitbr/ 
Listening on my machine , I got the shellbr/ 
Privilege Escalation
I uploaded my Linux Enumeration Script Found some SETUID Bit 
br/ Where exim4 is unusual
Searchsploit shows lot of exploits br/ 
so lets check its versionbr/ 
And Found an exploit for that version
I uploaded it in the victim machine and tried running it but it shows some bad interpreter so i googled about it
Lets try this
sed -i -e 's/\r$//' script.sh
It worked
We Got Root!