I'm not critiquing the author because they are awesome!  However, I would say that dc-3 seems easier than dc-2 and if someone were to do these in order, this one would be later, not sooner.  That being said, I believe dc-6 was also easier and dc-5 is on my weekend list because it is different than the others.  Or perhaps at first glance, I missed something obvious with dc-5.  Time will tell.  

This machine was cool and it would definitely make a beginner think outside of the box.  It incorporates tools and technologies that you might not see every day.  I'm obviously trying not to spoil -- if someone is here just looking for a hint.  

All I'm saying though is my collection looks good but it's missing one more:

Kicking off with Nmap:

We find a web port open and even though it's redirecting to a name, I did not need to add the name to my hosts file.

Firing up Nikto:

We see WordPress hints. 

Moving to the browser:

We find a WordPress site.  I'm not hunting for flags, I don't know how many exist, but a few crossed my path and I snagged them by coincidence.  That being said, these flags contain hints and since it did create a path, perhaps I got them all. 

Flag numero uno:

Cewl is a wordlist creation tool.  We'll get to that in a moment. 


Nothing interesting. 

Moving to WPScan:

Again, no much. 

Enumerating users:

A lengthy output, eventually we get to users:

Not that we have something to brute, let's create that wordlist:

-d = depth, 5 levels
-m = word length, minimum 4 characters

Now we're going to put our three users into a users.txt file and we're going to brute them with our newly created wordlist:

Once again, a lengthy output and finally:

We get a couple of passwords. 

Logging in as jerry:

When we are logged in:

We see that we are unable to upload anything. 

We do find another flag though:

Viewing the page:

I'm thinking password reuse and I move to SSH:

When I get in, I'm in jail. 

Checking out my environment:

I have access to vi which means I can break out:

Once in vi, :set shell=/bin/bash

Then, we can execute :shell

When we get out of jail, we test that we are really out with cd.  We are truly out, we add a normal PATH variable.

Grabbing some flags:

In the other flag:

We get a hint.  With the password we retrieved from WordPress, we switch to the Jerry account:

When we get sudo -l, we see we are able to run /usr/bin/git without a password.  

Similar to what we did with vi, we're going to see if we can break out of git into a shell running as root:

/usr/bin/git running on behalf of root, now the breakout:

Once we're out:

We are #root

Snagging the final flag.