DC-2

[ vulnhub  ctf  walkthrough  ]

Goal

4 flags + root flag

Download

http://www.five86.com/dc-2.html

Walkthrough

nmap
alt text

default 80, wordpress with flag post
alt text

quick wpscan enumeration for users
alt text alt text

using cewl to build a wordlist and create user list
alt text

use wpscan password attack with our lists and find passwords for tom and jerry
alt text alt text

both tom/jerry can login to wp, but jerry can see pages which has flag2
alt text

neither users had admin rights to another route is needed as flag 2 suggests
alt text

try ssh over alternate 7744 port as tom using found credentials, works
alt text

we have a restricted shell, but some commands available. such as less to read flag3
alt text

flag 3 says we should su to jerry, but we need to break out of jail first
alt text

vi is available so we use it to break free
alt text alt text

we’re now out of jail and can read files freely
alt text

so we do as flag 3 states and su to jerry using found password from wp. with that flag 4 is found
alt text

check sudo and the hint is correct and we can sudo git without a password
alt text

move to top level of file structure, git init, add /root folder and commit. after committing we see our final flag. we then move back to home dir of jerry and clone the repo without sudo
alt text

final flag
alt text

Written on April 21, 2019
Share on: