CTF DC-2 Vulnhub Walkthrough

Hello friends ! Today we are going to take anathor CTF challenge known as "DC-2" which is available on vulnhub.com made by "DCAU"

level of challange : 2/10

step-1: to discover our target machine using command

" netdiscover -f -i eth0 "[ where -f is fast scan and -i is interface name ] for us we get ip 192.168.182.140

or "netdiscover -r 192.168.182.140/24 " [ where -r is range and /24 is CIDR notation ]

step-2: to scan the target using command

" nmap -sV -p- -Pn 192.168.182.140 "

[ where -sV is service version detection, -p- is scan all ports and -Pn is for ping probes ]

or "nmap -A -p- 192.168.182.140"

[-A is agressive scan and -p- is all ports ]

we get two ports open http 80 and ssh 7744

step-3: as http is open we can to to taget ip website by going

https://192.168.182.140/ or https://dc-2/ in our case we get our first flag at home page of dc-2

#-----@_flag1.txt : " more passwords are always better for brute forcing"

so we use cewl to generate pasword list and save to the kali/Desktop "

step-4: using cewl for generating password file using command

"cewl https://192.168.182.140 > pass.txt " and save it to desktop for further process

step-5: use wp scan to enumerate dc-2 website using command

"wpscan --enumerate --url https://dc-2/" for usernames and save it to user.txt o kali/Desktop

for us we find three usernames 1) admin 2) tom and 3) jerry

so we brute force using these usernames via wpscan and find passwords for each username

after scan we get username:password formatt

1) tom : parturient & 2) jerry : adipiscing

step-6: login into dc-2 website by using these credentials and see the info

we didnt find much in toms profile but find antahor flag 2 which says

#-----@_flag2.txt : " if you cannot exploit wordpress there is anathor way"

so we use ssh 7744 to connect for tom using command "ssh [email protected] -p 7744"

after getting a restricted rbash shell we need to convert it to regular shell bin/bash ie higher shell

step-7: after ssh [email protected] we get rbash so to get /bin/bash shell we use vim editor to get shell

use command :set shell=/bin/bash enter and again write :shell

so we now get proper shell use ls to list files and we got flag3.txt

#------@_flag3.txt : "Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he cause"

so we need to go jerrys account using su command for lateral movement su jerry and use password adipiscing

step-8: as jerry have low privellage we canot use many command so we need to have privellage esclation to higher shell ie bash or root shell here we use git for escalation

by sudo -l we find out that tom can run root without password so use go to /home/tom$ and use git command "sudo git help add " which will open editor aswe use git help

after spawning we type "!/bin/bash" for higher shell and enter

and yes we got shell so we go to root and finf final flag as tom doesnt require password for root and after cat final-flag.txt we get

#----@_final-flag.txt :

Well Done ! Congratulatons ! we have done CTF challange for DC-2 machine .