Pentesting — VulnHub: DC-2
Note: The methodologies and tools that you learn from pentesting are real. Do NOT attempt to try and hack into machines you’re not authorized to. I will not be held responsible for your actions.
Finding the IP Address of DC-2
After powering up the machine in Workstation, the first step is to determine its IP address. We’ll need the IP address for all communications with DC-2. My personal choice is netdiscover.
So, the IP address of DC-1 is 192.168.248.140. Let’s modify our /etc/hosts file on Kali to reflect this.
Deep Nmap Scan
Now that we know the IP address of DC-2, we’ll scan it more deeply to get more information out of it. I have written a port scan bash script which is basically two nmap scans. The first scan determines open ports and the second scan uses the -A flag on those ports.
From the nmap scan, we can note the following:
- Software: Apache httpd 2.4.10, OpenSSH 6.7p1 Debian
- OS: Linux 3.X
Notice that OpenSSH is running on 7744. SSH on port 22 is not mandatory; it is just popular and expected. But essentially, SSH can be listening on any port.
Port 80 served a WordPress website. Noted.
The flag tab says, Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl. This means that we may need to brute-force a login form using a custom wordlist. Nice tip!
We don’t know where the login page is. So, we’ll use a website directory enumeration tool like dirbuster to find the URI of various web directories that are not visible to us right now. My standard dirbuster search configuration for Apache web server is:
dirbuster found the URI of the web login page, /wp-login.php. Since this is a practice machine and the flag is quite obvious, you can stop enumerating directories. In reality, I feel it’s good to let it run for about half hour.
Remember that the flag mentioned cewl. It’s a tool to generate custom wordlists by parsing the content off a website.
Now that we have our custom wordlist, we’ll brute force the credentials of the WordPress login form. There is a tool called wpscan which will be helpful here. If you know how to use hydra, you can use that as well.
Command: wpscan -url http://dc-2 -enumerate -w /path/to/cewl/wordlist/dc2_wordlist.txt
We didn’t get the admin password, but that’s okay. We got credentials of two others. Nice! Now that we have user access to the web portal, the next step is to find a location to upload a shell script.
Y U NO Upload?
I found an upload location in the Media Library section but that was a dead-end.
I wanted to try another bypass technique using Burp Proxy, but then I remembered that users reuse passwords.
Consequences of Password Reuse
Remember that SSH is running on port 7744. Before I dive into serious shell upload bypass techniques, I wanted to test my hypothesis that either jerry or tom might have used the same password for their SSH logins.
And indeed! tom reused his web portal credentials for SSH login. This is why it’s important to have different passwords for different portals.
Breaking out of Restricted Shell
You might have noticed that the shell that we got is very restricted. There’s not much we can work with. Let’s break out! vi is a great friend!
Type vi at the console and press Enter. Type the following commands into vi:
These commands set a configuration variable, shell and then call it.
We still have privileges of tom. Let’s check what programs tom can execute as root.
Ah, well. We need to somehow switch to another user account. jerry did not reuse his web credentials in SSH.
Another flag in tom’s home directory says Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Turns out jerry reused his web credentials in his system account! Nice!
Let’s check what programs jerry can execute as root.
So, we can execute git with root privileges. Let’s head off to GTFOBins and see how git can be used to escalate privileges.
So, I need to set a PAGER environment variable with the mentioned value. DC-2 does not allow me to preserve the environment, so the -E flag must not be used with sudo.
Note: On executing sudo git help config, a vi like editor opens where you need to type !/bin/sh as mentioned in GTFOBins. You’ll then get the root shell.
Nice! We have root shell and we have successfully compromised the DC-2 machine!
Thank you for reading!
In this article, we used a different methodology compared to DC-1. We did not upload any shell script after we logged into WordPress. Instead, we exploited the fact that users reuse their credentials in different services. We also looked at a technique that uses vi to break out of a restricted shell. We also learnt how to find programs that can be executed with root privileges.
Things are slowly getting spicy, are they not? If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
P.S. I also write on my blog https://0x90sploiter.wordpress.com.
Feature image credit: https://www.360logica.com/blog/different-methodologies-penetration-testing/