Hello friends! Today we
are going to take another boot2root challenge known as “DC-2”. The credit for
making this VM machine goes to “DCAU” and it is another boot2root challenge in
which our goal is to get root access to complete the challenge. You can
download it from here.
Security Level: BeginnerPenetrating Methodology:
·
Discovering Targets IP
·
Network scanning (Nmap)
·
Adding
Domain name to Host file
·
Surfing HTTP service port
·
Using WPscan for Username
enumeration
·
Using cewl for creating
wordlist
·
Logging into Wordpress
·
Logging in through SSH
·
Escaping
restricted shell
·
Finding
binary in sudoers list
·
Getting root access and
Reading final flag
Let’s start off with scanning the network to find our target.
netdiscover
We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.
nmap -p- -A 192.168.1.101
OKAY!! With the following result of nmap scan I found here port 7744 is used for SSH and port 80 for HTTP service, moreover there all it shows all http services are made to redirect on http://dc-2.
Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.
cat /etc/hosts
Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.
The Flag option on the webpage clearly got our attention. Let’s check what hint it has for us. So from this page, we got a really good hint to move ahead.
So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.
wpscan
--url http://dc-2 --enumerate p --enumerate t --enumerate u
I found three user names: admin, jerry and
Tom and as said above we need use cewl which is used for generating dictionary
by spidering website.
Therefore, we have used cewl to build a
wordlist for passwords from inside http://dc-2 as shown in the image.
cewl
http://dc-2/ password
cat
password
So, we have dictionary
for passwords which we have generated using cewl and saved wordpress usernames
in a text file.
cat users
Time
to fire up wpscan with our username & password list to valid user login
combination.
wpscan --url http://dc-2 -U users -P password
We
have successfully found the password for Tom & Jerry. Let’s make good use
of them.
jerry: adipiscing
tom: parturient
Further, we login
to wordpress using Jerry credentials. It was holding another clue for us in
Flag 2.
Since the clue
was telling us to find another entry point to reach to our final flag. Suddenly
we thought making a SSH Login running on port 77454 by using Tom credentials.
We successfully
got logged in but we have a restricted shell in which some commands are not
found. But few commands are available.
ssh tom@192.168.1.101 -p 7744
ls
cat flag3.txt
echo $PATH
ls /home/tom/usr/bin
As you can observe that cat program is
not present inside /bin and tom can run only five programs present inside /bin
directory.
Since we had a
restricted shell, we found that we can use the Vi
editor. Therefore, we use Vi editor to escape the restricted shell.
After escaping the restricted shell, we export “/bin/bash” as our SHELL
environment variable and “/usr/bin” as our PATH environment variable so that we
can run Linux commands properly.
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
After that we try
to open flag3.txt afain using cat command and luckily found next hint to move
ahead.
ls
cat flag3.txt
According to
hint, now we need to switch user from tom to jerry but we don’t have jerry’s
login credential. Then checked the sudoers list and found
that tom can run “/usr/bin/git” as root without a password.
sudo -l
sudo git help add
Since the help console of git opens with editor where we can run below command. And for spawning root shell type !/bin/bash and hit enter.
Boom!!! We got the root access, then we switch to the root directory and found our final flag.
cd
/root
ls
cat
final-flag.txt
0 comments:
Post a Comment