The target virtual machine operates on the 192.168.85.0/24 subnet. Initial reconnaissance identifies active hosts, specifically 192.168.85.132, which exposes TCP ports 80 and 7744. Direct web access via IP address is rejected, requiring a local DNS override in /etc/hosts to map the dc-2 domain to the target. Automated vulnerability assessment highlights a WordPress deployment and discloses administrative endpoints alongside server metadata.

Standard authentication attacks against the login portal fail. A targeted wordlist is constructed by scraping the live site:

cewl -w generated_pass.txt http://dc-2

Concurrent user enumeration exposes three accounts: admin, jerry, and tom. These identifiers are compiled into user_list.txt. A dictionary attack utilizing the scraped credentials successfully recovers valid logins:

wpscan --url http://dc-2/ -U user_list.txt -P generated_pass.txt

The recovered credentials jerry:adipiscing grant access to the dashboard, revealing the first objective marker. Additional findings indicate SSH access on the non-standard port 7744.

Establishing a remote session using tom:parturient immediately restricts command execution within a confined shell environment (rbash). Identifying available executables reveals that vi remains permitted. Launching the editor and executing :set shell=/bin/sh followed by :shell bypasses the restriction, yielding a standard user prompt and the second marker. The session is further constrained by a missing system path. Restoring standard binary access requires:

export PATH=/usr/local/bin:/usr/bin:/bin

After path restoration, privilege delegation is examined. Switching to the jerry account and querying sudo permissions reveals execution rights for the git binary without password verification.

The configured sudo rule is leveraged to escalate to root. Invoking the help system for git opens a pager interface:

sudo git help config

Inside the pager, entering !/bin/bash executes an arbitrary shell command with elevated privileges, spawning a root prompt. The final objective is retrieved from the restricted directory.

Remediation requires disabling unused network listeners, senitizing exposed web assets to prevent metadata leakage, and restricting sudoers configurations to enforce least-privilege principles.