DC-1 : Vulnhub Walkthrough
Link :
https://www.vulnhub.com/entry/dc-1,292/
Goal : To find the 5 flags. These flags are hints for further steps. The location of these flags are just an indicator where a good penetration tester should look. An alternative approach could also be to directly get to root.
Blog notes :
- attacker machine : I used a kali linux machine for all my attack labs.
- victim machine : It is available in vulnhub, please follow the above link.
- Enumeration : means listing and searching for information. It refers to knowing more about your victim machine. It is very general term. list of users, list of directories, list of open ports, list of vulnerabilities.
Step 1 — Active Information Gathering
- Host Discovery
I know the layout of my virtual testing environment. Hence, the target IP address is : 192.168.137.146
- Port Scanning
I wanted to know what all services are running on the target IP address. Hence, I ran TCP port scanning. You could include UDP port scanning too. I found that SSH, HTTP and rcpbind services were running. HTTP services are running, means it must have a webpage.
The website is built using Drupal. Drupal is one of the content management system framework. We could categorize this in web app running on HTTP server. These type of pen-testing are called web application pen-testing.
Step 2 — Vulnerability Scanning
I directly moved on to this step as this is my personal lab environment. I used nmap to find vulnerabilities in Drupal webapp.
Considering the vulnerability I did some more google search and I found an exploit in metasploit that we could use named “drupal_drupageddon”.
Step 3 — Exploitation
- Start metasploit in attacker machine.
use exploit/multi/http/drupal_drupageddon- Now we need to step up proper parameters for the exploit.
4. After setting the proper metasploit exploit parameters we got a successful exploit and got a meterpreter shell. By default metasploit uses meterpreter shell.
Step 4 — Enumeration
Now we have direct access to victim machine such that we could run linux commands on it.
Just traversing through directories, I found flag4.txt in “/home” directory.
Similarly from some more traversing I found flag1.txt in “/var/www”.
Alternatively you could search the complete computer for the file with name starting with “flag*”.
Along with files and directories one could always search for text inside all files. Doing so we reach to the next flag.
From flag2 I found information that
- “What can you do with these credentials?” refer to the credentials below the flag2.
- I found a database user and its password. It is a mysql database.
But is there any mysql database running? Yes a mysql database is running on the victim system. I then used the credentials to get access to the database.
flag3 was one of the node of drupal.
Now only the last flag is left. Note that until now we a just a standard user “www-data” not the root user.
Step 5 — Privilege Escalation
Please refer to my tool privilege escalation and enumeration.
Instead of writing notes on privilege escalation I developed a tool which I could I use directly during penetration testing.
Hence using the tools to find SUID tools.
SUID files : means those which which have root privileges but could be used by normal users also.
I found a file “find”. I you are beginner then you may not get this. But using “find” command we could execute linux commands. As “find” has SUID privileges, any command we execute via “find” will be executed with root privileges.
Important Takeaway from this lab :
- Always go through configuration files of services running on victim system. In these files there may be password in clear text, or some other information that could help in penetration testing.
- Try to find tools and file that have SUID permission, this provides us to execute root commands with normal user.
- If database services are running, try to get credentials of DB admin or just access to database where you could search for hashed passwords and stuff. Note that in SSH we could also login using password hash.
