VulnHub DC: 2 Walkthrough

We went through DC: 1 not too long ago, and now VulnHub has DC: 2 – DC: 6 up to play with. DC:2 is another beginner-oriented box that has some good techniques to play with.

If you want to see a video walkthrough, you can find that here.

We start off with our usual Nmap scan: nmap -sV -sC -v 192.168.2.109 -oN map1

dc2-1

Here we have one open web port, with an important message. Because of the redirect, we need to add dc-2 to the /etc/hosts file.

dc2-2

Let’s check out the website now.

dc2-3

It’s WordPress! Let’s look at the Flag tab.

dc2-4

This is a pretty big hint. Cewl will crawl a website and generate a list of passwords from it. It’s also indicating that at least two users accounts can be compromised. Let’s run cewl first.

Cewl http://dc-2 -w wlist.txt

You’ll want to use the -w command to create the file instead of redirecting with > otherwise you’ll get the banner in your wordlist as well.

dc2-5

You can see from running cat on the list, that cewl pulled words 3 characters in length or greater. There are other customizations you can do with cewl, but this will serve our purposes just fine. Now we need to get a list of users. It’s time to run wpscan.

dc2-6

At the time of this post, wpscan was broken in the latest update of Kali Linux. Similarly, the Metasploit module for user enumeration broke as well. So, you can either use a previous version of Kali, or do what I did and install wpscan on Ubuntu.

With wpscan, it will do its enumeration and then run the password brute force on the users it enumerates. You can also do it in stages, but I wasn’t expecting this attack to be overly long and cumbersome.

wpscan –url http://dc-2 -P wlist.txt -e

dc2-7

dc2-8

Ok now we’re getting somewhere. We have credentials for two accounts. Logging in with Tom doesn’t yield anything, but Jerry does … Flag 2.

If you didn’t know what the default wordpress login was called, you could have Googled for it, used a scanner like nikto, or a directory brute forcer like gobuster to find it.

Anyway … using the login page at http://dc-2/wp-login.php will get you there.

dc2-9

The flag is indicating that WordPress might be vulnerable but that’s not the only way.

Let’s do another Nmap scan on all the ports and see what we find.

Nmap -p- -sC -sV -v 192.168.2.109 -oN map2

dc2-10

 

Ok, here we see that SSH is open on port 7744.

We can’t login with Jerry, but Tom gets us right in.

dc2-11

We have a problem though. We can see a flag but we’re once again in a restricted bash shell.

dc2-12

This time, unfortunately, SSH is not going to help us with the bypass.

This is where you’ll need to do some research. Start mapping out the commands you can use and cross reference those with rbash bypass techniques that you can find online. Listing available commands with compgen -c can help.

Vi, for example, is a command we have access to and has a shell command built in with :! /bin/bash. This doesn’t work however, but there’s a manual way to do the same thing.

:set shell=/bin/sh

:shell

I found this bypass at https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ after a quick Google search.

After running vi and setting the command shell escape, we successfully bypass rbash. There’s still and issue, however. Commands still aren’t working.

dc2-13

We can see from looking at our path that it’s still set to the restricted directory.

dc2-14

Let’s set it to a more normal place. The two directories you’ll want to add are /bin and /usr/bin.

export PATH=$PATH:/bin:/usr/bin

dc2-15

Now we can do stuff. Let’s read that flag!

dc2-16

So this is a fairly obvious thing to try regardless of a hint. I mean we already have creds for Jerry so let’s log in as him.

dc2-17

Jerry is apparently not root. Let’s check some sudo permissions.

Sudo -l

dc2-18

Jerry has sudo permission for git. I have a pretty good idea where to go from here but let’s check one thing first. The user home directory might have something interesting.

In the /home/jerry directory was another flag with a final hint. Git is mentioned again and a very subtle hint for gtfobins. https://gtfobins.github.io/

GTFObins has a listing of different compromise techniques based on commands. In this case we’re looking for git.

dc2-20

Yep this looks promising!

dc2-21

What GTFObins is telling us here is that git -p help uses the command less to display the help file. Less has a shell escape similar to what we did with vi. By using sudo, we’re calling less as root and therefore the shell we spawn will also be root.

Let’s try it!

dc2-22

And we’re root!!!

dc2-23

So that was DC: 2. It was fun learning some alternate rbash escapes and it was probably the first time I’d use git to escalate permissions. Once again, you can find a video walkthrough here.

Anyway, I hope you enjoyed the walkthrough.

 

Happy Hacking!

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s