DC-2

https://www.vulnhub.com/entry/dc-2,311/

As usual we start with an nmap scan.

Port 80 and 7744 are open.

SSH on 7744? Interesting. Lets check out the website on port 80 first.

Pretty standard looking site. Hmm whats that Flag directory?

Found the first Flag! Like DC-1 there are five flags to be had.

"you need to be cewl" hmm.

cewl is a custom wordlist generator that is install in kali.

I'm not going to put the output of cewl as it is lengthy, I will simply put the command I ran though.

cewl -w plist.txt dc-2

So we have a password list, Now we need users.

Back to nmap!

nmap -A -p 80,7744 10.6.6.19 --script=vuln

This command gave me 3 usernames. I put the usernames in users.txt

I also ran a dirb http://10.6.6.1to see what directories there are and wp-admin came up so that is our way in.

Next I ran wpscan -U users.txt -P plist.txt --url http://dc-2/ to match up usernames and passwords.

Well I can't give everything away!

Now we can login to wp-admin.

I first logged in with tom but didn't find any flags. I then logged in with jerry and found flag 2.

Ok lets startup msf and get flag3. Well wait....another entry point? ssh was open. Password reuse perhaps?

Tried jerry and he is not reusing passwords.

Did get in with ssh tom@10.6.6.19 -p 7744 though. Nice! We have a shell.

So first thing I tried was to cat flag3.txt. Well cat isn't installed. Good'ol vi it is then.

Flag 3

Whats interesting about this machine is that you are in a restricted shell.

After doing a bit of research on restricted shells I found that tom can run the less command. Tom can also read jerrys home directory which contains flag4.txt

Flag 4

Alright all on my own! To gtfobins we go.

vi is a little tricky for beginners so I will walk through what I did and the commands I ran.

https://gtfobins.github.io/gtfobins/vi/

First run 

vi -c ':!/bin/sh' /dev/null

and press Enter.

Then type 

:set shell=/bin/sh

Press enter and then type :shell

You should now see a $ and a flashing cursor.

After running these commands we need to export the path:

export PATH=/bin:/usr/bin:$PATH

Now we should be able to su jerryas flag3 suggested and read flag4.

Flag4

git outta here? Another hint!

run sudo -l

Hmm looks like we can run /usr/bin/git without a password. Lets check out gtfobins again.

Logogit | GTFOBins

Since we can run git without a password we can exploit the binary and gain a root shell.

sudo git -p help config
!/bin/sh

Nice!

For more on restricted shells see https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html

To learn more about vi there are a lot of great videos on youtube or see this website https://vitux.com/working-with-vi-editor-in-linux/

I suggest learning at least the basics of vi as that may be the only text editor on a linux machine.

PreviousDC-1NextDC-3

Last updated

Was this helpful?