My first box pop in 10 years. DC-6 by Ben from 17 July 2019
Tonight wanted to start my OSCP / pentesting practice. So, I go to Vulnhub and start scrolling through the list of VMs. I found a few that said they were for beginners and I downloaded them. I got DC-6, DC-4, and Sputnik. I started with DC-6 because it finished first. The VM information said that the interface would be set to DHCP and that I should add a host entry to my hosts file for the hostname of “wordy" for whatever IP the machine gets. It also said in the hints to run the following command: “cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt". This command tells me at least a little information. We are going to be cracking a password. The password is in the rockyou.txt (which is included in Kali). And it includes that string “k01" in the successful password. The cat command that we will run is looking at the rockyou.txt wordlist, piping it to grep and then grep is writing to a new file all the strings with “k01" in them. So we will have a new smaller list of passwords to use in our password cracking attempts.
I imported the OVA into VirtualBox. I changed the interface to be on the internal network (going through my pfsense box) VM network. Then I booted it up. This got me to a login screen. I couldn't do anything. I tried basic stuff like admin admin and admin password etc just for fun. It didn't work obviously. So fired up Kali and Zenmap. I gave the VM network a good old scanning. DC-6 showed up as 192.168.1.102. It said it had ports 22 and 80 open. Since I got the IP of 192.168.1.102 for this VM that's what I'll need to add to my hosts file. It now looks like this:
Using a web browser and just typing in “http://wordy" brought me to a WordPress blog.
I’m not ashamed to admit that this is where I hit a brick wall. I have never done this before after all. I really wasn’t sure which direction to go in. I went over the code of the WordPress site for a bit. I didn’t see anything particularly interesting. It looked like any other WordPress sites. I remembered back to the hints and went ahead and ran the command to prepare my wordlist. I figured I’d need it to break into this box.
So I started to google. I found this YouTube clip of a guys walkthrough of this box. It a new video put out by the user Moaz Ghawji. However, the video is in a foriegn language. But I am treating this like the tutorial level of a game and treating my foriegn friend in the video as my level guide. I know some may consider it cheating but again I’m treating it like more of a tutorial. I watch until the guy gets caught up with me. The next thing he does is run WPScan, a WordPress vulnerability scanner. He runs it to enumerate any possible users. So I do the same. We ran the following command “WPScan --url http://wordy -e". I get the following list of names:
I really wish I knew more about how this command gets the usernames from the WordPress server. Possibly that is an article for another time. So we get this list of usernames. Now it’s time to crack on of them. Again using WPScan, we point it at a file containing the usernames and we also point it at the wordlist we created earlier. Then we let it go to work cracking the usernames and passwords by using the following command “WPScan --url https://wordy -U users.txt -P passwords.txt". After a few minutes I got the following output.
BOOM! We got one! I immediately want to log into the admin console of the WordPress instance. You do this by going to http://wordy/wp-login.php it is just a standard WordPress login page. And and and…. It let me in! We are at least into the WordPress now! So where do we go from here?
Looking at the Users tab showed me that the previous usernames were correct. So far I’ve learned about WPScan, a tool I didn’t even know existed. And I’ve learned that it can accurately enumerate WordPress users. As well as bruteforce WordPress login attempts. I also learned that these are legit over the wire login attempts.
So what next? Following the video as a guide, the next step is to find a way to escalate to a local machine user. Looking at the WordPress user panel we can see that they are using the activity monitor addon. Using a tool called searchsploit we can search to see if there are any known vulnerabilities in this plugin. And as it turns out there is:
This searches our local exploit database for any known exploits for the term activity monitor. After we find one, we then copy the html page to our desktop. After that we are going to go into the source and do some slight editing. In the source there is a line calling to localhost, we want to replace this with “wordy" as this instance is not running on our local host. We also need to edit a call to the local host IP and instead put in the IP of the “wordy" box.
From what I can tell the exploit works like this.. You run open the html from the exploit page and hit the submit button.That then sends a web request to the activity monitor. However, this webrequest also run a netcat command as well. That netcat command is our way in. We start a netcat listener on our Kali machine. The netcat command in the exploit will be ran on the web server and open a reverse shell back to our Kali machine. So I started a listener… ran the exploit in a browser.. BOOOOOMMM!!! My first reverse shell exploit completed!
So now that we have a shell who are we? We are now www-data, the user running the web server. What can we do? Well we can run any command that this user can run and we can access any files they can access. So let’s explore around a bit. In Mark’s home folder I found a folder called stuff. In Jen’s home folder I found a backup.sh script. Looking in Mark’s stuff folder I find a file called things-to-do.txt. It says the following:
That’s right. It contains another username and password in it! I tried to login to the WordPress portal with these creds. No dice! So let’s try them on the SSH server…. That’s it! They were SSH creds! So now we are in as an SSH user. I bet we won’t need our reverse shell anymore after this. Looking around as the “graham" user doesn’t really show me any more files that I can look at. Running the “sudo -l" command checks what permissions I do have on the system. We can see that the backup.sh script pops up again, this time it says it is a script that I can run.
Let’s go check out that script. It is just a script to zip up a file. Watching my foriegn video friend, he just puts /bin/bash at the end of it then runs the script as the user “jens" with the following command “sudo -u jens /home/jens/backups.sh". Since the script is getting ran as another user and since the script is just calling another shell, this allows us to now have a shell as the “jens" user. See how the username changes:
Running the same “sudo -l"command as jens shows that we can run the nmap program as root with no password as well. Until my foriegn teacher showed me… I had no idea the nmap contained a scripting function in it. We make a fast file containing an nmap script. Making the script is pretty easy just run the following command “echo “os.execute(‘/bin/bash’)" > /tmp/root.nse" all it will do is run nmap and then use it to open a bash terminal. Cool thing is if we run it as sudo we are now root. Looking into the root directory shows us the flag .txt file. Then we can cat the flag… and WE WON!
Really I wouldn’t have gotten very far without that video.. But I think we all need to start somewhere. I learned a lot about enumeration and privilege escalation. I also learned that I need to stick to it more and try more things out before I go running for a walkthrough. Warm up over. I’ll tackle DC-4 without help and see how far I can get… next time.