In this article we will gain root access to the machine DC-2. This is a CTF challenge for beginners in this field .we can download this machine from vulnhub.
Our very basic step is to identify the target and for that we run the command : netdiscover -i wlan0
Now let's run nmap to check for open ports,and for that we run the command :
nmap -A 192.168.43.148
result shows that there is only 1 open port . So to confirm we run the command.
nmap -p- 192.168.43.148
now this command is showing that one more service is running on port 7744.
So we decided to browse HTTP service by opening our web browser and after typing the IP address 192.168.43.148:80 in our browser it doesn't give any result(an error) so we decided to edit our /etc/hosts file and modify it as .
now again we try to open this website and yes this time it opens. Ok so we have a wordpress website and now we can think to enumerate worpdress website . read this article : https://www.haclabs.org/post/wordpress-penetration-testing to know more about wordpress enumeration.
after enumerating the wordpress website we found that there is no vulnerable theme and no vulnerable plugin that we can exploit so we decided to enumerate users by using the command : ./wpscan --url http://dc-2 --enumerate u
we have found 3 users namely admin,jerry ,tom . So we tried bruteforce attack to find the password but we failed in doing so(if we use any wordlist present in /usr/share/wordlists directory. Now we browse the website again and there we found a page with name flag so click on it, it give us a hint.
So we decided to use a tool cewl , it comes preinstalled in Kali Linux OS. it is a tool which spiders a given url to the specified depth and then return a list of password that can be used in password cracking . So to generate a list of password we run the command : cewl http://dc-2 > passwords.txt
and we save the name of the users that we found in a file with name users.txt
Now we will use these two lists to crack the password by using the command :
./wpscan --url http://dc-2 -U users.txt -P passwords.txt
so we have found two valid combination as :
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
To login into the main panel of wordpress website we visit the page http://dc-2/wp-login.php we logged in successfully by using the credentials of user tom.
But we didn't find anything useful here so we decided to login as jerry.
under page then all page we found two new pages that is flag and flag2
content of page flag is
and content of page 2 is :
we again get a hint that, the port that we have discovered which is 7744 is meant for SSH login because this is another way of taking entry in a system . So we use the credentials of both the user to connect to SSH and we succeed with credentials of user tom.
when we run couple of commands we get an error .
This means that this is a restricted shell and we need a stable shell and for that we use the vi trick . first of all we check if vi is available or not by typing two comamnds.
so type in vi and then type :
:set shell=/bin/bash(Press Enter)
but after this we are getting some error.
we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly
so now we can run different commands without any error so we decided to go to /home directory and there we found two directories as tom and jerry so we change our directory to tom and there we found flag3.txt and using cat command we tried to read the content of this file.
it means we can change our user by using su command so we can access shell of user jerry as we know the password of jerry.
now we are jerry and by changing our directory to /home/jerry we see a new flag as flag4.txt . so we tried to read its content by using the cat command.
now we check for jerry's permission by running the command sudo -l and yes we have git . we can use git for privilege escalation and after searching a lot on the internet we found a method for privilege escalation.
command used :
sudo git help add
and after this we get the root shell.
so we have our final flag and we tried to read the final flag by using the cat command.
done!! we have gained root access!