DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn't an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs. Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
NOTE: You WILL need to edit your hosts file on your pen testing device so that it reads something like:
192.168.0.142 wordy
NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly. This is VERY important.
CLUE
OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years.
Lets begin the hunt
We start with reconnaissance using nmap tool we scan for open port and we found port 22 and 80 were open
Using another nmap scan we found usernames for the particular site
Next step is to run hidden directory scan using gobuster and seclists. After the scan we found an admin login page for wordy
We already have the clue to grep the passwords from rockyou.txt so along with the username we found through the nmap scan we try to brute- force to get the correct credentials to login. Since wordy is a WordPress website we use wpscan to brute-force
We found the username and passwords as mark and helpdesk01 respectively and successfully login to the site
When we go through the dashboard we find a plugin named Activity monitor when look for possible exploits about activity monitor in searchsploit we found some
So we downloaded the exploit named 50110.py
Just changed the permission of the file and executed it.
Using NetCat we got the reverse shell and stabilized the connection.
We just go back to the home directory and move to jens folder and find a folder named stuff. When we open the folder we found a file named things-to-do.txt.
Now we have credentials of new user named graham, since port 22 is open we can take a ssh connection
We execute sudo -l we found a file named backups.sh in jens folder so we just move towards the folder to read the file
We check the permissions of the file and found it has read, write and execute permissions for group and owner user’s. So we just execute the file using the command
Sudo -u jens ./backups.sh a tar file was created
Now we inject the file with another NetCat in order to take the reverse shell for the user jens
Now we got a shell for the user jens. When we execute sudo -l we found nmap is running
So with the help of GtfObins we found the sudo command for nmap and execute it and get the root access and find the only flag named theflag.txt
Pwned.!!!
Comments