Note: The methodologies and tools that you learn from pentesting have real world applications. Do not attempt to try and hack into machines you’re not authorized to. I will not be held responsible for your actions.
Finding the IP Address of DC-2
After powering up the machine in Workstation, the first step is to determine its IP address. We’ll need the IP address for all communications with DC-2. My personal choice is
So, the IP address of DC-1 is
192.168.248.140. Let’s modify our
/etc/hosts file on Kali to reflect this.
Deep Nmap Scan
Now that we know the IP address of DC-2, we’ll scan it more deeply to get more information out of it. I have written a port scan bash script which is basically two nmap scans. The first scan determines open ports and the second scan uses the
-A flag on those ports.
From the nmap scan, we can note the following:
Apache httpd 2.4.10, OpenSSH 6.7p1 Debian
OpenSSH is running on
SSH on port
22 is not mandatory; it is just popular and expected. But essentially,
SSH can be listening on any port.
80 served a WordPress website.
The flag tab says, Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl. This means that we may need to brute-force a login form using a custom wordlist. Nice tip!
We don’t know where the login page is. So, we’ll use a website directory enumeration tool like
dirbuster to find the URI of various web directories that are not visible to us right now. My standard
dirbuster search configuration for Apache web server is:
dirbuster found the URI of the web login page,
/wp-login.php. Since this is a practice machine and the flag is quite obvious, you can stop enumerating directories. In reality, I feel it’s good to let it run for about half hour.
Remember that the flag mentioned
cewl. It’s a tool to generate custom wordlists by parsing the content off a website.
Now that we have our custom wordlist, we’ll brute force the credentials of the WordPress login form. There is a tool called
wpscan which will be helpful here. If you know how to use
hydra, you can use that as well.
wpscan --url http://dc-2 --enumerate -w /path/to/cewl/wordlist/dc2_wordlist.txt
We didn’t get the
admin password, but that’s okay. We got credentials of two others. Nice! Now that we have user access to the web portal, the next step is to find a location to upload a shell script.
Y U NO Upload?
I found an upload location in the Media Library section but that was a dead-end.
I wanted to try another bypass technique using
Burp Proxy, but then I remembered that users reuse passwords.
Consequences of Password Reuse
SSH is running on port
7744. Before I dive into shell upload bypass techniques, I wanted to test my hypothesis that either
tom might have used the same password for their
tom reused his web portal credentials for
SSH login. This is why it’s important to have different passwords for different portals.
Breaking out of Restricted Shell
You might have noticed that the shell that we got is very restricted. There’s not much we can work with. Let’s break out!
vi is a great friend!
vi at the console and press
Enter. Type the following commands into
:set shell=/bin/sh :shell
These commands set a configuration variable,
shell and then call it.
We still have privileges of
tom. Let’s check what programs
tom can execute as
Ah, well. We need to somehow switch to another user account.
jerry did not reuse his web credentials in
Another flag in the home directory of
tom says Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
jerry reused his web credentials in his system account! Nice!
Let’s check what programs
jerry can execute as
So, we can execute
root privileges. Let’s head off to GTFOBins and see how
git can be used to escalate privileges.
So, I need to set a
PAGER environment variable with the mentioned value. DC-2 does not allow me to preserve the environment, so the
-E flag must not be used with
Note: On executing
sudo git help config, a
vi like editor opens where you need to type
!/bin/sh as mentioned in GTFOBins. You’ll then get the
Nice! We have
root shell and we have successfully compromised the DC-2 machine!
Thank you for reading!
In this article, we used a different methodology compared to DC-1. We did not upload any shell script after we logged into WordPress. Instead, we exploited the fact that users reuse their credentials in different services. We also looked at a technique that uses
vi to break out of a restricted shell. We also learnt how to find programs that can be executed with
Thank you for reading and if you have any questions, please leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credit: https://www.360logica.com/blog/different-methodologies-penetration-testing/