Vulnhub - DC2 Walkthrough
Second machine in the DC series and this includes bruteforcing Wordpress credentials. This writeup will take you through each step of rooting this machine.
Let’s see what we can find on the website.
/etc/host file and then visit the website.
It’s a wordpress website. Instead of running any tool like gobuster let’s just run
I got some users:
and some vulnerabilities:
None of the vulnerabilities looks usable since they need authentication.
After looking around a bit I found a message on
So we can use CeWL to generate the password list and then try it with wpscan.
➜ ruby cewl.rb http://dc-2/ > passwords.txt and pass that list to
I first tried it’s with
tom and got the correct password.
tom / parturient
and surprisingly I also found
jerry / adipiscing
So I tried to see if I can find the
admin password but nope there wasn’t any match for that ;)
After login using
jerry's credentials I found a page called
We can’t exploit this because there are no templates or themes to edit to run our reverse shell.
The message on that page is referring to
SSH service. Because that is the only remaining entrypoint.
Let’s see if we can login using credentials we found via
I couldn’t login using
jerry credentials but I was in using
But when I tried running commands like
cat it gave
So I used
vim trick i.e
This will give us
shell but I was still not able to run commands like
This could mean that
/bin/sh might be missing from the
PATH. We can run
tom@DC-2:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
This will fix the problem for us.
This says something about
su command so we should try to change to
jerry's account using the su command.
Since we already have a password for
adipiscing we can su easily.
The first thing I checked was the sudo right for
I found a way on gtfobin to use
git for privilege escalation.
We can run
sudo git -p help config and when the output stops we can type
!/bin/sh to get us a
Had fun doing this one. Because I learned another way to escape rbash shell.
Thanks to @DCAU7 for this machine.
Thanks for reading, Feedback is always appreciated.