Hacking DC: 2— Vulnhub

Since this a continuing series I’ll just dive in.

Service Enumeration

nmap -sS -p- --min-rate=1000 192.168.56.105

There is an unusual service running on port 7744. Let’s use nmap scripts to find out more about it.

nmap -sC -sV -p 80,7744 -oN DC:2.tcpscan 192.168.56.105

Turns out port 7744 is just running ssh. Let’s start with enumerating port 80 since ssh has low chances of being vulnerable.

HTTP

Checking the flag it hints of using cewl to come up with a password wordlist.

Before creating the wordlist let’s enumerate users using wpscan.

wpscan --enumerate u --url http://dc-2

Users found: admin, tom, jerry

Let’s create the password wordlist:

cewl -w DC2_wordlist -m 5 http://dc-2

After creating the wordlist we can bruteforce using wpscan to find the valid passwords.

wpscan --password-attack wp-login -U users.txt -P DC2_wordlist --url http://dc-2

Exploitation

ssh tom@192.168.56.105 -p 7744

Logging in as tom works but the shell is restricted, before trying to escape it let’s try out jerry’s credentials. Unfortunately that doesn’t work maybe jerry isn’t allowed to ssh.

Escaping Restricted Shell (rbash)

Using this commands from gtfobins we can escape the restricted shell using vi.

vi
:set shell=/bin/sh
:shell

After escaping the shell we need to export the path variables again.

Now that we have a proper shell we can look around. According to flag3 we should su to jerry, since we have a password for jerry we can use it.

In jerry’s home directory there is flag4.txt:

The last line is particularly interesting, maybe there is something we can do with git. Looking around we can read the bash_history file.

Jerry had previously run sudo on git, we can confirm if he has any sudo permissions using sudo -l.

Jerry can run sudo on git with no password, we can abuse this permission to get root with the following command:

sudo git -p help config
!/bin/sh

We finally get a root shell and we can read the final flag.

Post Exploitation

Looking at ssh config we see the default port was changed and only tom was allowed to ssh.

Going into /var/www/html we can read the wordpress config file (wp-config.php) for db credentials.

After logging into mysql we can get the wordpress password hashes in the wp_users tables in wordpressdb.

Since we already have tom’s and jerry’s passwords we can try crack the admins password using hashcat. I tried a few wordlists but wasn’t successful. Since I don’t have a top notch rig for faster cracking I’ll leave it at that.

Conclusion

Twitter: ikuamike

Github: ikuamike