Download link: https://www.vulnhub.com/entry/dc-2,311/
Host discovery
Port scan nmap -v -sV -A -p- 192.168.44.147
Failed to access port 80, indicating that the website cannot be accessed
It is guessed that the domain name resolution is not done, and the domain name binding needs to be manually performed in the local hosts file
Edit the hosts file and add domain name resolution
If it prompts insufficient permissions when saving, right-click Properties, Security, Edit the permissions of the current user, and give permission to modify and save.
Then visit port 80, which is a wordpress site
After successful login, the first flag is found
According to the prompt, you need to use cewl to produce a dictionary for blasting
First use the wpsan scanner to enumerate the usernames of the website
wpscan --url http://dc-2 -e u vp
Use cewl to generate dictionary
vi shy.txt
cewl http://dc-2 -w shy.txt
Use the username enumerated by wpscan and the password dictionary generated by cewl to blast, you can use burpsuite or wpscan to blast
Here for the convenience of using wpscan for blasting
wpscan --url http://dc-2 -e u -P /shy/shy.txt
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
Use the Jerry account to log in and find the second flag. According to the prompts, you can use the wordpress exp or other methods
According to the obtained account and password, as well as the port 7744 found in the previous scan, try to log in, and Tom can log in successfully
The cat command cannot be used, use vi flag3.txt to view the content of flag3.txt
According to the prompt, you need to switch to the Jerry user, but most commands cannot be executed and you need to bypass the restricted shell
In the home/jerry directory, find the fourth flag, and use git to raise the rights according to the prompt
sudo -l
git escalation
sudo git -p help config
!/bin/sh