you can download it here: http://www.five86.com/downloads/DC-4.zip
use nmap to discover the target:
check port 80:
a simple login page, tried sqli, but seems not vulnerable to sqli, try brute force authentication.
admin : happy
apparently this is a command injection.
get a reverse shell and make it interactive
there are four users with bash right(inclusive root)
check jim’s home directory
there is a bash file with suid set, but if I modify it, the suid will be gone, useless.
try these passwords on root,charles,jim,sam
login to the opensshd server
stucked here for a while, notice that mbox is a mail, check /var/mail
another credential, su charles
charles can execute teehee as root without password, try out teehee
“Copy standard input to each FILE, and also to standard output.” seems like a text editor, which can only append content, but not modify original content
try using teehee to add one line to /etc/sudoers
echo "charles ALL=(ALL) NOPASSWD:ALL" | sudo teehee -a /etc/sudoers