Sunday, December 18, 2016

Vulnhub Walkthrough: DC416 Dick Dastardly


Capture all 4 flags in flag{} format

Initial nmap reveals ssh on 22, web server running on 80 and irc on 6667

Running dirb against site shows two separate index pages, index.html and index.php

index.html is the default DC416 rules

index.php shows a guestbook and login area

Preparing the site to run through burp suite to attempt a SQLi attack, flag 1 is revealed


With no known credentials, I setup burp to run a SQLi attack

After a short while, a payload of  ' or 0=0 # is revealed and shows admin is logged into the site

Using the SQLi payload on index.php, admin.php page is revealed

With three options, I decide to act on all of them
Adding IP to IRC whitelist simply refreshes the page, but burp shows a post to activate

I add a simple supybot owner with username yoyo and password 1234

After adding a user, I activate supybot

Knowing IRC port is open, I attempt connecting using irssi with command /connect and it's successful

No channels or users are known, so I send a /list command which reveals the channel #vulnhub

Joining the channel reveals the user vulnhub-bot

Using the added username yoyo, I message the user with /msg vulnhub-bot user identify yoyo 1234 and it's successful

Running list reveals various commands that can be run including unix shell which allows system access, directory listing and reveals flag 2


Being able to run system commands I attempt a reverse shell...

...and it's successful

Some initial file enumeration shows a file xss.js stores the credentials for the admin.php page


Some additional enumeration shows mysql root credentials by running crontab -l


Using the mysql credentials reveals nothing special

Additional enumeration by running ps -aux reveals an interesting ping command being run as root with a pattern (-p) option

After running ps -aux several other times it seems that the pattern changes every so often

On a whim I start wireshark and notice icmp traffic from the system. Filtering traffic to icmp only reveals the ping pattern seen from ps -aux. Each packet has text data which when put together reveals flag 0





So now I only have one additional flag as they apparently started at zero :)

Additional enumeration shows that current user rasta can sudo as vulnhub with no password for a specific command

Running the command reveals nothing as it's a limited shell. After many various attempts, the letter q actually quits the program and reveals the menu

Option 1 reveals the user, which is vulnhub, Option 2 didn't do anything at first, but after several attempts it seems you have to specify the directory you would like listed. This reveals that /home/vulnhub holds the last flag

Option 3 actually holds coffee :)

After several failed attempts, I found the correct way to reveal flag 3



  1. I've add my IP to the whitelist and create an account with admin/test. But I have a problem to connect the supybot with irssi:
    after I started irssi, I issued the command /connect, it told the
    [(status)] /connect
    18:10 [ExampleNet2] -!- Irssi: Connection to established

    No more message came out, I sent another command /list, it gave me this message:
    18:13 -!- Irssi: Not connected to server

    could you please tell me what's wrong?

    1. created an account. what can you do with that?