Vulnhub-DC 6

Hey everyone , I hope you all are doing good, In this post I will be sharing my walkthrough of vulnhub’s DC-6. Now this contains spoilers to the machine so I would highly encourage you to try it on your own ,if you are stuck then there is no shame in looking at the writeup so with further ado let’s jump in

Rustscan

rustscan -a 192.168.1.11 -- -A -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                  
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |       
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                  
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                  
The Modern Day Port Scanner.                                                                                                                        
________________________________________                                                                                                            
: https://discord.gg/GFrQsGy           :                                  
: https://github.com/RustScan/RustScan :                                  
 --------------------------------------                                   
😵 https://admin.tryhackme.com                                            
[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.1.11:22                 
Open 192.168.1.11:80                 

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                                                                   
| ssh-hostkey:       
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDHiBBFUtpw1T9DZyoXpMp3kg25/RgmGZRFFmZuTfV9SJPxJCvrQXdM6P5GfFLFcgnLlcOBhBbv33N9HvWisycRypK0uLK26bntqfyTAFCdM
Xcud7fKNgRBxJdN8onwl4Hly3wzRBJxFWqTdD1RF8viYH4TYIs5+WLpN7KihosjpbwzPpOnbDQZUw7GdHvosV7dFI6IMcF57R4G5LzSgV66GACNGxRn72ypwfOMaVbsoxzCHQCJBvd8ULL0YeAFt
NeHoyJ8tL3dZlu71Wt9ePYf7ZreO+en701iDqL6T/iyt3wwTDl7NwpZGj5+GrlyfRSFoNyHqdd0xjPmXyoHynp                                                              
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE+jke+7np4l7EWf0wgySSp3MtYFcI6klVOWm7tDjas8eDxc9jYOhR4uK7koa2CkQPDd18XJSt
0yNAGQFBb7wzI=                       
|   256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII1mnJveN8yJySEDhG8wjYqtSKmcYNdX5EVqzxYb92dP
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-methods:                      
|_  Supported Methods: GET HEAD POST OPTIONS                              
|_http-server-header: Apache/2.4.25 (Debian)                              
|_http-title: Did not follow redirect to http://wordy/                    
|_https-redirect: ERROR: Script execution failed (use -d to debug)                                                                                  
MAC Address: 08:00:27:59:AC:2F (Oracle VirtualBox virtual NIC)

We have two ports open 22 and 80 so we can’t do much with SSH since we don’t know the username , we will be enumerating port 80

PORT 80 (HTTP)

Going to web server it will shows that it’s being reidrected to a domain wordy

So let’s add the domain to /etc/hosts

After adding the domain name , let’s refresh the page

Now it loads , since this is a wordpress site we can use wpscan to enumerate for users

And it founds some users , we can also find plugins installed on wordpress with nse (nmap scripting engine)

I tried to find some exploits but they weren’t beneficial to us as there was a xss exploit for akismet and changing user permissions through user-role-editor exploit so in the end we have to brute force the credentials.

There was a hint given to use regarding brute forcing that we must grep for k01 so I did that

We’ll get the password for mark

After logging in , we can see that we are not administrator so that where user-role-editor comes into play.

I tried to exploit this vulnerability through metasploit but it seems that we needed to load this module , I failed to do this so I approached to exploit this manually

Click on user’s update profile button and intercept it

Now add ure_other_roles=administrator this paramter

And now we have become an admin on wordpress site ,cool. Add a php reverse shell in 404.php template

But it wasn’t getting updated

So last option was to go with metasploit

For stabilizing the shell

We see a note in mark’s home directory

With that password we switched to user graham, if we do sudo -l

Edited the script

Now it’s so much easier here , we can go GTFOBINS to see what we can do with nmap running as sudo

Now we cannot see the commands that we are typing so what we can do is make /bin/bash a SUID and exit out of this shell and execute /bin/bash -p this way bash will be executed as root and we will get a proper root shell