Vulnhub vulnerable machines
Today, I will share with you another writeup for newly published vulnhub VM. The vulnerable VM is DC-2 and you can download it from the following URL : https://www.vulnhub.com/entry/dc-2,311/
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Using cewl tool to generate password list
- Enumerating wordpress using WPSCAN
- Perform full port scanning using nmap
- Escaping restricted shell
- Editing PATH environment variable
- Privilege escalation using git tool
The first thing after power on the machine is to get its IP address, so I used nmap ping scan for all network range. The IP address is 10.0.2.6
After that, I perform port scanning on the target machine and I got that there is only one open port from the well known 1000 ports which is HTTP port (80).
By browsing the IP using Firefox I found that the web server hosts a wordpress website and I found a page with title “Flag” in the home page of this website.
After visiting this page I found a hint of using a cewl tool, which is a tools to generate a password list from a given URL.
So, I used this tool to generate a password list from the website and save this list in a file called passwords.txt
After scanning the wordpress website using wpscan tool and enumerate the available users in the website, I found that there are three users on it (admin, jerry, and tom).
So, I saved those users in a file called users.txt and then I used wpscan to brute-force wordpress logins using passwords.txt and users.txt lists.
The tool returned the following credentials :
jerry – adipiscing
tom – parturient
I used them to login to the wordpress admin area and I did not find any vulnerable plugin or theme. But after enumerating the admin area, I found that there is an unpublished page called “Flag 2”. By viewing this page I found a hint to not exploit the wordpress.
So, I decided to perform a full port scan using nmap on the target machine and I found that there is another open port (7744) which runs SSH service.
So, I tried to login to this SSH service using the extracted credentials and I succeeded. But I can not run any Linux command. This happened because the shell is restricted shell. So, I tried to escape it using VI editor.
Again, after escaping the restricted shell another error appeared to me. So I checked the environment PATH variable and I found that the paths for Linux commands didn’t appear on it. So, I added them.
When I read the content of the flag3.txt I found a hint to switch the user to jerry. So I switch it and read the flag4.txt file which give me another hint to use git tool.
Using sudo command I found that this user (Jerry) can run the git command as root user without the need for password. So, I used it to escalate my privilege to root user as follows:
At the end, I got a root privilege and I can read the content of the final-flag.txt file.
The machine is CTF-style machine and not real world scenario, but I think you learn something new from it.
I hope that you learn something new by reading this article. Do not miss to share it with your friends and provide us with your feedback in the comments.
Wait us for the next walkthrough 😀 ..