DC-2 Walkthrough

-
I already got root on DC-1 machine like 1 month ago, it was a nice box but I didn't had enough time to write about it so I thought of doing DC-2 machine by same author and write about it too :D . Though DC-2 is not available on vulnhub yet but you can download it from here.

This machine has 5 flags in total and below is my walkthrough on how I found them :)
As usual, I started the box by doing a quick nmap scan and it revealed port 80 only.


Only port 80 open? This sounded fishy to me so I hit up arrow key, added -p option to previous command for full tcp port scan and now we can see port 7744 is also open.


Since this port is used for SSH and no creds were provided, I went for HTTP service on port 80.
On directly opening the ip address of the machine, I got redirected to dc-2/ so I quickly added an entry to /etc/hosts file with machine's ip address and its corresponding hostname.


On opening dc-2/ on browser, an wordpress site was found.

Welcome, what we do, our people and our products pages all had some random lorem ipsum texts so nothing interesting there. The flag page at http://dc-2/index.php/flag/ had our first flag and some hints too "cewl" and "login".


According to the given hint, password might be in one of the pages above so I used "cewl" tool in kali to generate wordlist from above pages one by one.


We have a list of passwords to try but no usernames so I used wpscan to enumerate users for the given wordpress website.


wpscan identified 3 valid users - admin, tom and jerry so again I used wpscan to bruteforce these users with above wordlist.
Now we have valid passwords for users tom and jerry. I logged into tom's account but tom had no permissions to upload themes/plugins, interesting draft posts, medias and hints so I logged in to jerrys' account. Unlike tom, jerry had a "flag 2" post which was not shown in wordpress home but could be viewed from his dashboard.


Jerry also does not have any theme/plugin uploading option and according to the hint, there is another way. Remember the SSH port on 7744? I tried SSH'ing into tom's account with same password and it worked!


.. but rbash :(
Firstly, to check avaible commands on rbash shell, I used compgen, which was luckily available.


There were a bunch of commands that could be executed from rbash shell but the only "less" and "vi" got my attention. For some reasons, less didn't work as expected to escape rbash shell so I went for vi. In vi, if we set a variable with /bin/sh and execute it, we can escape out of the rbash shell so I did the same. 

In vi's command mode, type :set shell=/bin/sh and execute it by simply typing :shell. BOOM! we just escaped out of the rbash shell. 


Though we are already out of rbash shell but we cannot still execute all commands so I appended /bin and /usr/bin dirs to $PATH and spawned a TTY shell with python. 


Now we have a full TTY shell for tom user and we can read 3rd flag - flag3.txt.


So, according to this flag I su'd into jerry's account with the password I found from bruteforcing wordpress and it worked! There is only one file - flag4.txt in his home dir and there's not much hint except "Go on - git outta here!!!!" maybe this box's privesc has something to do with git command?
I did $ sudo -l to check if jerry can execute any command as sudo or not and found that he can execute /usr/bin/git with sudo and no password is required for it to execute too.


I had no idea if we could pop a root shell with git binary, so I searched for git binary in gtfobins.


 I tried the same, $ sudo git -p help and tried executing !/bin/sh to get root shell but it didn't work. To verify my command was being executed, I tried touch'ing a file in /tmp and found the file was created and its owner was root :)


Then, I copied /bin/sh to /tmp and gave SUID permission to it. On executing the binary, I got root shell and final flag too :)


That's all, folks. Thank you for reading. Happy Hacking!

Comments

Post a Comment

Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

-
Image
Introduction After hacking into a private program for a while now, I found some nice bugs, mostly through recon and chaining one clue after another. In this blog post, I'll discuss the same as well as my approach to finding them. Since I've signed an NDA with them, all references to the project and company are redacted. For the sake of this blog, I am going to refer to the project as MeowCorp project and their primary domain as meowcorp.io.  Findings #1 /.git/config file to root shell After running regular subdomain enumeration tools, I picked up some interesting subdomains. One of them was api.scan.meowcorp.io. While performing content discovery on this subdomain, I found  git config file. Quickly I dumped the files from .git dir with GitTools  but it was all static CSS, JS files that were of no use. When I was about to close the terminal tab, I noticed that the git repo belonged to a personal GitHub profile.  The company has its own GitHub org profile but the reference to a p
Read more

Expanding the attack surface with Shodan's lesser known filter

-
Image
I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl, ssl.cert.subject.cn, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic.  Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in https://www.shodan.io/host/<ip> BUT shodan's raw data (https://www.shodan.io/host/<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage
Read more

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

-
Image
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i
Read more