Walk Through DC-2
First, we Use the tool Netdiscover to Discover the all hosts in our Network
Where we find the target IP Address (192.168.1.51 ). Command to Use netdiscover: – Sudo netdiscover note: – we can only use netdiscover tool as a root user
After finding the targeted IP address we use nmap tool to find the open ports and Services running on the Ports
nmap 192.168.1.51 -p- -A
After the Scan is completed, we discover that 2 ports are open (80 http, 7744 ssh) After Trying to Connect Port 80 we got an error page.
After that we add the target ip to the /etc/hosts file
Sudo nano /etc/hosts
Now we got over access to the website and found that the website is working on WordPress
On the main Page we got our flag1
As the website is working on WordPress we use the Wpscan tool to get more details about the website and try to enumerate users form the website
Command to use Wpscan
wpscan –url “target-URL” –enumerate p –enumerate t –enumerate u
this command we use to enumerate username and other details from the website
We Found 3 Users from the website now we use the cewl tool to get more information from the target url
CEWL stands for Custom Wordlist Generator, a tool used for creating custom wordlists or dictionaries that can be used for password cracking, phishing attacks, or other types of security testing.
Commad to use cewl:- cewl “target-URL”
cewl http://dc-2 > dc2Password
It creates me a custom wordlist to use in brute force the username we found in wpscan
Successfully found the password for two users
Now use dirsearch tool to get the login page and other hidden directories dirsearch -u “target-url”
Use jerry Credentials to log into website and after some time we got our second flag which indicates us to get into the server using second method
After that try to log into ssh as we previous discovered the ssh service are running on open 7744
In this shell we discovered that we are In a (rbash shell)
rbash stands for Restricted Bash. It is basically a restricted mode of the bash shell. It is used when you want a user to run only limited commands so that they cannot modify or harm the system.
to find the command I can run first we use echo $PATH Command to check the path
After that we use command to check which command a user can in this path for that we use ls /home/tom/usr/bin to find which commands we can run a tom user
Less, ls, scp, and vi only a user in this path can run these command so we use vi command to check the flag3.txt vi flag3.txt
Since we had a restricted shell, we found that we can use the Vi editor. Therefore, we use Vi editor to escape the restricted shell.
After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
After escaping the rbash shell now we can use the other commands successfully
we got our flag 4
According to flag4 we change our user from tom to jerry
After checking the permissing of jerry through sudo -l . Then checked the sudoers list and found that user can run “/usr/bin/git” as root without a password.
Jerry can run Git as ROOT without password → this is a privilege escalation vector.
Git help pages open inside a pager like less. Inside less, you can execute shell commands.
After then I executed the shell command to get the root access !/bin/bash
and then I get the root shell
