DC6-Lab Walkthrough

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn't an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here - http://www.five86.com/dc-6.html

Table of Content

1.      Scanning

§  Netdiscover

§  NMAP

2.      Enumeration

§  WPSCAN

3.      Exploiting

§  Searchsploit

4.      Privilege Escalation

§  sudo rights

5.      Capture the Flag

Walkthrough

Here the author has left a clue which will be helful in this CTF.

“OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.”

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

That should save you a few years. ;-)

Scanning

Now, start the CTF challenge by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP 192.168.1.103.

Then, it’s time to run nmap following command to identify open ports and running services.

nmap -A 192.168.1.103

Like As ever, this time also we got port 22 and 80 is open for SSH and HTTP services, moreover all HTTP services are made to redirected on domain i.e. http://wordy

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

Enumeration

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

Since I didn’t find any remarkable clue on the website, therefore, next idea that came to us was to run a wpscan on the webpage and see what the scan enumerates for us.

Hmmm!! Not bad, here I got usernames as shown in the below image.

Moreover, in a text file named users, I saved all usernames that I had found from WPScan. If you remember the CLUE I discussed at the beginning of the post, generating a password dictionary would be helpful.

wpscan --url http://wordy/ -U users -P password

We have successfully found the password for mark; Let’s make good use of them.

mark:helpdesk01

Exploiting

After login into wordpress, I notice a plugin “Active-monitor” is installed in the dashboard.

So, quickly I checked for its exploit inside searchsploit and surprisingly I found this plugin is vulnerable to reflected XSS and CSRF attack, moreover this vulnerability cloud lead to remote code execution. You will get its exploit from searchsploit which is an html form to exploit CSRF attack.

From searchsploit I found 45274.html file to exploit CRSF attack, but before executing it we need to make to some Cosmo changes as shown below and launch netcat listener.

Now, execute the shell.html file to get reverse connection.

OKAY!! We got reverse connection at netcat, where I need to run python command to spawn proper shell. While traversing I found a bash “backup.sh” and tar “backups.tar.gz” and moreover I found a text file “things-to-do” from inside /home/mark/stuff which stored credential for another user “graham” as shown below.

graham : GSo7isUM1D4

Privilege Escalation

As we knew port 22 is open for ssh and here I try to connect with ssh using graham : GSo7isUM1D4 and luckily I got ssh access as shown below. Since this is boot to root challenge where I need to escalate privilege for root access.

ssh graham@192.168.1.103

Therefore, I check for sudo rights, where I found Graham can execute backup.sh as jens without password.

sudo -l

After reading this bash script, I decided to edit this file by adding /bin/bash as shown below.

Then with the sudo right I executed following command successfully login as jeans.

sudo -u jens /home/jens/backups.sh

Now when we have access of jens shell and further I check sudo rights for jeans. As per suoders file permission, jens can run nmap as root. To escalate root privilege, I generate a nmap script to access bin/sh shell called root.nse and then use nmap command to run the script with sudo.

echo "os.execute('/bin/sh')">/tmp/root.nse

sudo nmap --script=/tmp/root.nse

WELL DONE! We have found the final flag and complete the challenges.