🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. Vulnhub Walkthroughs
  2. DC Series

DC-2

https://www.vulnhub.com/entry/dc-2,311/

PreviousDC-1NextDC-3

Last updated 1 year ago

Was this helpful?

As usual we start with an nmap scan.

SSH on 7744? Interesting. Lets check out the website on port 80 first.

Pretty standard looking site. Hmm whats that Flag directory?

Found the first Flag! Like DC-1 there are five flags to be had.

"you need to be cewl" hmm.

cewl is a custom wordlist generator that is install in kali.

I'm not going to put the output of cewl as it is lengthy, I will simply put the command I ran though.

cewl -w plist.txt dc-2

So we have a password list, Now we need users.

Back to nmap!

nmap -A -p 80,7744 10.6.6.19 --script=vuln

This command gave me 3 usernames. I put the usernames in users.txt

I also ran a dirb http://10.6.6.1to see what directories there are and wp-admin came up so that is our way in.

Next I ran wpscan -U users.txt -P plist.txt --url http://dc-2/ to match up usernames and passwords.

Now we can login to wp-admin.

I first logged in with tom but didn't find any flags. I then logged in with jerry and found flag 2.

Ok lets startup msf and get flag3. Well wait....another entry point? ssh was open. Password reuse perhaps?

Tried jerry and he is not reusing passwords.

Did get in with ssh tom@10.6.6.19 -p 7744 though. Nice! We have a shell.

So first thing I tried was to cat flag3.txt. Well cat isn't installed. Good'ol vi it is then.

Whats interesting about this machine is that you are in a restricted shell.

After doing a bit of research on restricted shells I found that tom can run the less command. Tom can also read jerrys home directory which contains flag4.txt

Alright all on my own! To gtfobins we go.

vi is a little tricky for beginners so I will walk through what I did and the commands I ran.

First run 

vi -c ':!/bin/sh' /dev/null

and press Enter.

Then type 

:set shell=/bin/sh

Press enter and then type :shell

You should now see a $ and a flashing cursor.

After running these commands we need to export the path:

export PATH=/bin:/usr/bin:$PATH

Now we should be able to su jerryas flag3 suggested and read flag4.

git outta here? Another hint!

run sudo -l

Hmm looks like we can run /usr/bin/git without a password. Lets check out gtfobins again.

Since we can run git without a password we can exploit the binary and gain a root shell.

sudo git -p help config
!/bin/sh

Nice!

I suggest learning at least the basics of vi as that may be the only text editor on a linux machine.

For more on restricted shells see

To learn more about vi there are a lot of great videos on youtube or see this website

https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html
https://vitux.com/working-with-vi-editor-in-linux/
Logogit | GTFOBins
Port 80 and 7744 are open.
Well I can't give everything away!
Flag 3
Flag 4
Flag4
https://gtfobins.github.io/gtfobins/vi/