DC:2 Vuln Hub Machine Walkthrough

0
dc2-vulnhub-walkthrough

DC-2 vlunhub Walkthrough

First, visit vulnhub.com and open the DC:2 Machine and download and import the virtual box when it’s imported after that start the machine. When the machine is started, open your Linux terminal and scan your network and find the ip. For this you use netdiscover, arp-scan both tool it’s all upon you. What would you use.

Command For scan network — sudo arp-scan -l

sudo-arpscan

Command For scan network- sudo netdiscover

netdiscover-command

After that you got your IP- 192.168.1.34
Now scan your IP through the nmap.
Command- nmap -p- -A 192.168.34
-A stands for all and fast scan.
-p- stands for all ports scan.

Ports

Now open your IP in any browser in URL section and you see a website I found that the web server hosts a WordPress website, and I found a page with title “Flag” in the home page of this website

frontend

After visiting this page, I found a hint of using a cewl tool, which is a tool to generate a password list from a given URL.

Screen

So, I used this tool to generate a password list from the website and save this list in a file called pass.txt
Command for cewl tool– cewl http://dc-2/ -w pass.txt

Pass

After scanning the wordpress website using wpscan tool and enumerate the available users on the website, I found that there are three users on it (admin, jerry, and tom).

Command for scan- wpscan –url http://dc-2 -e

wp-scan

Now, I saved those users in a file called users.txt and then I used wpscan to bruteforce wordpress logins using pass.txt and users.txt lists.

Command for brute force through wpscan tool – wpscan –url http://dc-2 -P
pass.txt -U users.txt

wpscans

User – jerry – pass – adipiscing
User – tom – pass – parturient
I used them to login to the WordPress admin area and I did not find any vulnerable plugin or theme. But after enumerating the admin area, I found that there is an unpublished page called “Flag 2”. By viewing this page, I found a hint to not exploit WordPress

ssh login

Now make an SSH Login running on port 77454 by using Tom credentials. We successfully got logged in but we have a restricted shell in which some commands are not found. But few commands are available.

echo $PATH
ls /home/tom/usr/bin

usrbin-command

we had a restricted shell, we found that we can use the Vi editor. Therefore, we use Vi editor to escape the restricted shell.

set shell

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

Command- export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL

After that open flag3.txt use cat command and it done now.According to hint, now we need to switch user from tom to jerry but we don’t have jerry’s login credential. Then checked the sudoers list and found that tom can run “/usr/bin/git” as root without a password.

bash-shell

Command- sudo – l

sudo-git-help

Commands- cd /root
ls
cat final-flag.txt

weldone-script

Written By

Name : Aakash Kumar

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Hello
Can we help you?