Saturday, November 6, 2021



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine DC-9 from the VulnHub pentesting platform.

- DC-9 can be downloaded from here:,412/

- Once downloaded DC-9 and extracted with VirtualBox:


- IP for DC-9 is

- Scanning with Nmap, port 22 is filtered and port 80 is open:

- Checking the web server:

- Going to Manage:


- Let's explore the form Search, intercepting with Burp and saving it:

- Forms are prone to Injection Attackts, so let's use the saved item with Sqlmap to find a vulnerable injection point:

- Looking for databases we find Staff and users:

- Dumping all from Staff we find passwords and usernames:

- Same thing with database users:

- Decrypting admin's password:

- Logging with admin:transorbital1:

- The footer message File does not exist suggest that function include is being used, so maybe there is a LFI vulnerability:

- Remembering that SSH service is filtered (see Nmap oputput) and going around some configuration files we find /etc/knockd.conf, what contains an SSH number sequence:

- Using knock command to unblock access to SSH service:

- Hydra helps finding SSH accounts:

- SSH-ing with janitor:Ilovepeepee:

- Looking for interesting files:

- New credentials:

- Again Hydra helps finding new SSH accounts:

- SSH-ing with fredf:B4-Tru3-001:


- Checking fredf's sudoers permissions:

- test is an executable file:

- test takes two files as parameters, appending content of the first to the second:

- Using without parameters:

- The strategy for achieving Privilege Escalation will be to create a new user whitelist with root privileges, and appending its record to /etc/passwd with executable test.

- openssl encrypts whitelist:qwerty:

- Adding username, encrypted password and :0::0::root:/bin/bash so that whitelist has root privileges:

- Appending the encrypted line to /etc/passwd with test:

- Checking that the line has been correctly appended:

- Logging as whitelist:qwerty we have a root shell:


- Reading theflag.txt: