19 July 2021
Hi you all again.I pwned dc:2 machine today.But Before start the machine you neet to read machine page because it is hack and you have to see every details.
You can guess first two steps.Target ip detection and Enumerating running services.
I directly opened
wpscan tool when I saw wordpress header.So I did same thing in here.
I started enumerate users with
wpscan --url http://dc-2 --enumerate u .And I found 3 user.
I created username list for brute force to login page .
But I didnt have right password list.When I went to site I saw flag1 page and I read all of them.
cewl word in the page.I didnt know what is that.
So I started googling and I saw this is a tool.Even wordlist generator. You can more info in the link . I think it gonna be work to me
I started work with the tool and created a password list .
And I started brute force with
wpscan --url http://dc-2 -U users.txt -P pass.txt .
I found passwords for jerry and tom.
I saw flag2 when I logon site .And I realized I need to continue with ssh . Because I didnt find anything else and there is no one entrypoint except ssh .
But There is have shell restriction .So I started to search how can I pass the restriction
I looked which commands can work here and I saw my darling
You can almost pass every restriction with it .
First I typed
set shell=/bin/bash and
:shell in vi .
So I passed restriction but I was need to export new path and shell envoriments.
For work truely
I exporteed them and read flag3.As I understand I need to be jerry and I did what I understood And I started enumeration for root .I saw git command can work with root privileges.
So I started to search
linux git priv esc in google.And I found that .
First I typed
sudo /usr/bin/git help status after than typed :
!/bin/bash and I got root and final .
I really liked the machine.I saw a tool first time again.it was be good practice for me So I recommended to solved on your own. Have a good hacks .See you next machines :)