you can download it here: https://www.vulnhub.com/entry/digitalworldlocal-development,280/

use nmap to discover the target:

1
nmap -p 1-65535 -T4 -v 192.168.227.0/24

1

check its 80 port:

2

use dirb to scan for sensitive directories and files.

3

check its development directory

4

download the test.pcap and load it with wireshark.

5

/developmentsecretpage/ directory.

6

google “slogin_lib.inc.php” for relevant vulnerability and found this: https://www.exploit-db.com/exploits/7444, and it turned out /slog_users.txt is available.

1
2
3
4
admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98

using google to crack the hash, and get three:

1
2
3
intern:12345678900987654321
patrick:P@ssw0rd25
qiu:qiu

tried using these credential to login, and succeeded with intern’s

7

restricted in a shell with limited commands, easily escaped using following commands:

1
echo os.system("/bin/bash")

8

there was nothing more that intern can do.

tried the recent CVE-2019-7304 but failed

Path1

try to su as patrick and succeeded.

9

check sudo file

10

ok, sudo vim and !/bin/bash and get root.

11

Path2

tried CVE-2018-18955 and succeeded.

12