you can download it here: http://www.five86.com/downloads/DC-4.zip

use nmap to discover the target:

1

check port 80:

2

a simple login page, tried sqli, but seems not vulnerable to sqli, try brute force authentication.

3

admin : happy

apparently this is a command injection.

4

get a reverse shell and make it interactive

5

6

there are four users with bash right(inclusive root)

7

check jim’s home directory

8

there is a bash file with suid set, but if I modify it, the suid will be gone, useless.

try these passwords on root,charles,jim,sam

9

login to the opensshd server

stucked here for a while, notice that mbox is a mail, check /var/mail

10

11

another credential, su charles

12

charles can execute teehee as root without password, try out teehee

13

“Copy standard input to each FILE, and also to standard output.” seems like a text editor, which can only append content, but not modify original content

try using teehee to add one line to /etc/sudoers

14

1
echo "charles ALL=(ALL) NOPASSWD:ALL" | sudo teehee -a /etc/sudoers

15