DC-6

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

http://www.five86.com/dc-6.html

Walkthrough

nmap
alt text

default 80, wordpress
alt text

wpscan enumerate, users found
alt text alt text

build users list and password list based on creator’s note regarding
alt text

run wpscan password attack, password found for mark
alt text alt text

login as non-admin. plugin activity monitor stands out
alt text

after some light enumeration, switch to google and find edb 45274
alt text

download and edit poc
alt text

setup listener and open poc file
alt text

submit poc request and reverse shell
alt text

break out of jail and list user home directories
alt text

enumerating found txt file with password for graham
alt text

ssh as graham
alt text

enumerating…found that we can sudo as jens, no password for a script that we can edit due to group permissions
alt text

edit script
alt text

escalate to jens
alt text

sudo as root with no password for nmap
alt text

echo text to spawn shell into nmap script, sudo with nmap calling script, root and root flag
alt text

Written on April 26, 2019
Share on: