Professional Documents
Culture Documents
DC2 VULNHUB
SREERAJ K
Sreeraj898@gmail.com
Table of Contents
Introduction
Vulnerability Scanning
Exploitation
Penetrating Methodology
• Discovering Targets IP
• Network scanning (Nmap)
• Adding the Domain name to Host file
• Surfing HTTP service port
• Using WPscan for Username enumeration
• Using cewl for creating wordlist
• Logging into WordPress
• Logging in through SSH
• Escaping restricted shell
• Finding binary in the sudoers list
• Getting root access and Reading final flag
Active Information Gathering
• Host Discovery and Port scanning
There was only two services running on the victim system, HTTP and SSH. HTTP
services are running, means it must have a webpage. Browsing the website
gives us our first flag.
The Flag option on the webpage clearly got our attention. Let’s check what hint
it has for us. So from this page, we got a really good hint to move ahead.
Vulnerability Scanning
I directly moved on to this step as this is my personal lab environment. I used
nmap to find vulnerabilities in Wordpress webapp.
So, the first idea that came to us was to run a wpscan on the webpage and see
what the scan enumerates.
Time to fire up wpscan with our username & password list to valid user login
combination.
Since the clue was telling us to find another entry point to reach our final flag.
Suddenly we thought to make an SSH Login running on port 77454 by using
Tom credentials.
ssh tom@192.168.1.6 -p 7744
ls
cat flag3.txt
echo $PATH
ls /home/tom/usr/bin
Enumeration and Privilege Escalation
As you can observe that cat program is not present inside /bin and tom can run
only five programs present inside /bin directory.
Since we had a restricted shell, we found that we can use the Vi editor.
Therefore, we use Vi editor to escape the restricted shell.
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
After that, we try to open flag3.txt again using cat command and luckily found
next hint to move ahead.
ls
cat flag3.txt
According to hint, now we need to switch user from tom to jerry but we don’t
have jerry’s login credential. Then checked the sudoers list and found that tom
can run “/usr/bin/git” as root without a password.
sudo -l
Having the root permission on git was like the cherry on the cake, because
through this I can try to escalate low privilege shell to high privilege shell.
We got the root access, then we switch to the root directory and found our
final flag.
cd /root
ls
cat final-flag.txt
Conclusion
This was a good step up from the previous box since we needed to create our
own wordlist for bruteforce using cewl. A perfect VM for beginners. We could
use ports other than 22 for SSH. These are used by administrator to harden
their security. We need a tool for URL enumeration like DIRB so that we find
other webpages accessible.. We touched “sudo -l” and privilege escalation
concepts to get root access.