Vulnhub DC: 2 Walkthrough

    I'm not critiquing the author because they are awesome!  However, I would say that dc-3 seems easier than dc-2 and if someone were to do these in order, this one would be later, not sooner.  That being said, I believe dc-6 was also easier and dc-5 is on my weekend list because it is different than the others.  Or perhaps at first glance, I missed something obvious with dc-5.  Time will tell.  

    This machine was cool and it would definitely make a beginner think outside of the box.  It incorporates tools and technologies that you might not see every day.  I'm obviously trying not to spoil -- if someone is here just looking for a hint.  

    All I'm saying though is my collection looks good but it's missing one more:





    Kicking off with Nmap:





    We find a web port open and even though it's redirecting to a name, I did not need to add the name to my hosts file.

    Firing up Nikto:





    We see WordPress hints. 

    Moving to the browser:





    We find a WordPress site.  I'm not hunting for flags, I don't know how many exist, but a few crossed my path and I snagged them by coincidence.  That being said, these flags contain hints and since it did create a path, perhaps I got them all. 

    Flag numero uno:





    Cewl is a wordlist creation tool.  We'll get to that in a moment. 

    First:





    Nothing interesting. 

    Moving to WPScan:





    Again, no much. 

    Enumerating users:





    A lengthy output, eventually we get to users:






    Not that we have something to brute, let's create that wordlist:





    -d = depth, 5 levels
    -m = word length, minimum 4 characters

    Now we're going to put our three users into a users.txt file and we're going to brute them with our newly created wordlist:





    Once again, a lengthy output and finally:





    We get a couple of passwords. 

    Logging in as jerry:





    When we are logged in:





    We see that we are unable to upload anything. 

    We do find another flag though:





    Viewing the page:





    I'm thinking password reuse and I move to SSH:





    When I get in, I'm in jail. 

    Checking out my environment:





    I have access to vi which means I can break out:





    Once in vi, :set shell=/bin/bash





    Then, we can execute :shell





    When we get out of jail, we test that we are really out with cd.  We are truly out, we add a normal PATH variable.

    Grabbing some flags:





    In the other flag:





    We get a hint.  With the password we retrieved from WordPress, we switch to the Jerry account:





    When we get sudo -l, we see we are able to run /usr/bin/git without a password.  





    Similar to what we did with vi, we're going to see if we can break out of git into a shell running as root:





    /usr/bin/git running on behalf of root, now the breakout:





    Once we're out:





    We are #root

    Snagging the final flag.  



    © 2020 sevenlayers.com