DC-2 Walkthrough

I already got root on DC-1 machine like 1 month ago, it was a nice box but I didn't had enough time to write about it so I thought of doing DC-2 machine by same author and write about it too :D . Though DC-2 is not available on vulnhub yet but you can download it from here.

This machine has 5 flags in total and below is my walkthrough on how I found them :)
As usual, I started the box by doing a quick nmap scan and it revealed port 80 only.

Only port 80 open? This sounded fishy to me so I hit up arrow key, added -p option to previous command for full tcp port scan and now we can see port 7744 is also open.

Since this port is used for SSH and no creds were provided, I went for HTTP service on port 80.
On directly opening the ip address of the machine, I got redirected to dc-2/ so I quickly added an entry to /etc/hosts file with machine's ip address and its corresponding hostname.

On opening dc-2/ on browser, an wordpress site was found.

Welcome, what we do, our people and our products pages all had some random lorem ipsum texts so nothing interesting there. The flag page at http://dc-2/index.php/flag/ had our first flag and some hints too "cewl" and "login".

According to the given hint, password might be in one of the pages above so I used "cewl" tool in kali to generate wordlist from above pages one by one.

We have a list of passwords to try but no usernames so I used wpscan to enumerate users for the given wordpress website.

wpscan identified 3 valid users - admin, tom and jerry so again I used wpscan to bruteforce these users with above wordlist.
Now we have valid passwords for users tom and jerry. I logged into tom's account but tom had no permissions to upload themes/plugins, interesting draft posts, medias and hints so I logged in to jerrys' account. Unlike tom, jerry had a "flag 2" post which was not shown in wordpress home but could be viewed from his dashboard.

Jerry also does not have any theme/plugin uploading option and according to the hint, there is another way. Remember the SSH port on 7744? I tried SSH'ing into tom's account with same password and it worked!

.. but rbash :(
Firstly, to check avaible commands on rbash shell, I used compgen, which was luckily available.

There were a bunch of commands that could be executed from rbash shell but the only "less" and "vi" got my attention. For some reasons, less didn't work as expected to escape rbash shell so I went for vi. In vi, if we set a variable with /bin/sh and execute it, we can escape out of the rbash shell so I did the same. 

In vi's command mode, type :set shell=/bin/sh and execute it by simply typing :shell. BOOM! we just escaped out of the rbash shell. 

Though we are already out of rbash shell but we cannot still execute all commands so I appended /bin and /usr/bin dirs to $PATH and spawned a TTY shell with python. 

Now we have a full TTY shell for tom user and we can read 3rd flag - flag3.txt.

So, according to this flag I su'd into jerry's account with the password I found from bruteforcing wordpress and it worked! There is only one file - flag4.txt in his home dir and there's not much hint except "Go on - git outta here!!!!" maybe this box's privesc has something to do with git command?
I did $ sudo -l to check if jerry can execute any command as sudo or not and found that he can execute /usr/bin/git with sudo and no password is required for it to execute too.

I had no idea if we could pop a root shell with git binary, so I searched for git binary in gtfobins.

 I tried the same, $ sudo git -p help and tried executing !/bin/sh to get root shell but it didn't work. To verify my command was being executed, I tried touch'ing a file in /tmp and found the file was created and its owner was root :)

Then, I copied /bin/sh to /tmp and gave SUID permission to it. On executing the binary, I got root shell and final flag too :)

That's all, folks. Thank you for reading. Happy Hacking!


Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

Expanding the attack surface with Shodan's lesser known filter