Vulnhub DC: 2 Walkthrough

    I'm not critiquing the author because they are awesome!  However, I would say that dc-3 seems easier than dc-2 and if someone were to do these in order, this one would be later, not sooner.  That being said, I believe dc-6 was also easier and dc-5 is on my weekend list because it is different than the others.  Or perhaps at first glance, I missed something obvious with dc-5.  Time will tell.  

    This machine was cool and it would definitely make a beginner think outside of the box.  It incorporates tools and technologies that you might not see every day.  I'm obviously trying not to spoil -- if someone is here just looking for a hint.  

    All I'm saying though is my collection looks good but it's missing one more:

    Kicking off with Nmap:

    We find a web port open and even though it's redirecting to a name, I did not need to add the name to my hosts file.

    Firing up Nikto:

    We see WordPress hints. 

    Moving to the browser:

    We find a WordPress site.  I'm not hunting for flags, I don't know how many exist, but a few crossed my path and I snagged them by coincidence.  That being said, these flags contain hints and since it did create a path, perhaps I got them all. 

    Flag numero uno:

    Cewl is a wordlist creation tool.  We'll get to that in a moment. 


    Nothing interesting. 

    Moving to WPScan:

    Again, no much. 

    Enumerating users:

    A lengthy output, eventually we get to users:

    Not that we have something to brute, let's create that wordlist:

    -d = depth, 5 levels
    -m = word length, minimum 4 characters

    Now we're going to put our three users into a users.txt file and we're going to brute them with our newly created wordlist:

    Once again, a lengthy output and finally:

    We get a couple of passwords. 

    Logging in as jerry:

    When we are logged in:

    We see that we are unable to upload anything. 

    We do find another flag though:

    Viewing the page:

    I'm thinking password reuse and I move to SSH:

    When I get in, I'm in jail. 

    Checking out my environment:

    I have access to vi which means I can break out:

    Once in vi, :set shell=/bin/bash

    Then, we can execute :shell

    When we get out of jail, we test that we are really out with cd.  We are truly out, we add a normal PATH variable.

    Grabbing some flags:

    In the other flag:

    We get a hint.  With the password we retrieved from WordPress, we switch to the Jerry account:

    When we get sudo -l, we see we are able to run /usr/bin/git without a password.  

    Similar to what we did with vi, we're going to see if we can break out of git into a shell running as root:

    /usr/bin/git running on behalf of root, now the breakout:

    Once we're out:

    We are #root

    Snagging the final flag.  

    © 2020