DC-1 : Vulnhub Walkthrough

Link :

https://www.vulnhub.com/entry/dc-1,292/

Goal : To find the 5 flags. These flags are hints for further steps. The location of these flags are just an indicator where a good penetration tester should look. An alternative approach could also be to directly get to root.

Blog notes :

  1. attacker machine : I used a kali linux machine for all my attack labs.
  2. victim machine : It is available in vulnhub, please follow the above link.
  3. Enumeration : means listing and searching for information. It refers to knowing more about your victim machine. It is very general term. list of users, list of directories, list of open ports, list of vulnerabilities.

Step 1 — Active Information Gathering

  • Host Discovery
Host Discovery — Ping Sweep

I know the layout of my virtual testing environment. Hence, the target IP address is : 192.168.137.146

  • Port Scanning
Port Scanning

I wanted to know what all services are running on the target IP address. Hence, I ran TCP port scanning. You could include UDP port scanning too. I found that SSH, HTTP and rcpbind services were running. HTTP services are running, means it must have a webpage.

Accessing website on the target machine

The website is built using Drupal. Drupal is one of the content management system framework. We could categorize this in web app running on HTTP server. These type of pen-testing are called web application pen-testing.

Step 2 — Vulnerability Scanning

I directly moved on to this step as this is my personal lab environment. I used nmap to find vulnerabilities in Drupal webapp.

nmap vulnerability scanning script

Considering the vulnerability I did some more google search and I found an exploit in metasploit that we could use named “drupal_drupageddon”.

Step 3 — Exploitation

  1. Start metasploit in attacker machine.
  2. use exploit/multi/http/drupal_drupageddon
  3. Now we need to step up proper parameters for the exploit.
drupal_drupageddon parameters details

4. After setting the proper metasploit exploit parameters we got a successful exploit and got a meterpreter shell. By default metasploit uses meterpreter shell.

Step 4 — Enumeration

Now we have direct access to victim machine such that we could run linux commands on it.

Just traversing through directories, I found flag4.txt in “/home” directory.

flag4.txt

Similarly from some more traversing I found flag1.txt in “/var/www”.

flag1.txt

Alternatively you could search the complete computer for the file with name starting with “flag*”.

Along with files and directories one could always search for text inside all files. Doing so we reach to the next flag.

flag2

From flag2 I found information that

  1. “What can you do with these credentials?” refer to the credentials below the flag2.
  2. I found a database user and its password. It is a mysql database.

But is there any mysql database running? Yes a mysql database is running on the victim system. I then used the credentials to get access to the database.

flag3

flag3 was one of the node of drupal.

nodes in Drupal

Now only the last flag is left. Note that until now we a just a standard user “www-data” not the root user.

Step 5 — Privilege Escalation

Please refer to my tool privilege escalation and enumeration.

Instead of writing notes on privilege escalation I developed a tool which I could I use directly during penetration testing.

Hence using the tools to find SUID tools.

SUID files

SUID files : means those which which have root privileges but could be used by normal users also.

I found a file “find”. I you are beginner then you may not get this. But using “find” command we could execute linux commands. As “find” has SUID privileges, any command we execute via “find” will be executed with root privileges.

thefinalflag.txt

Important Takeaway from this lab :

  1. Always go through configuration files of services running on victim system. In these files there may be password in clear text, or some other information that could help in penetration testing.
  2. Try to find tools and file that have SUID permission, this provides us to execute root commands with normal user.
  3. If database services are running, try to get credentials of DB admin or just access to database where you could search for hashed passwords and stuff. Note that in SSH we could also login using password hash.

--

--

--

Learner. Curious about Security

Love podcasts or audiobooks? Learn on the go with our new app.

Ransomware Scammers Get Scammed Themselves By Tor Proxy Hack

{UPDATE} Stick Agent Hack Free Resources Generator

Why a person must know or be aware of cyber threats at this century?

Cyber Risk Assessment: Do’s and Don’ts

{UPDATE} Retro Runners X2 Hack Free Resources Generator

{UPDATE} Little Bee ABC Free Preschool and Kindergarten ABC Hack Free Resources Generator

“Quantum Cryptography: The Next-Generation of Secure Data Transmission.” (From our Forums.)

BoringDAO x Immunefi Bug Bounty

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takshil Patil

Takshil Patil

Learner. Curious about Security

More from Medium

Website Hacking — XSS (Cross Side Scripting)

redherd-framework-a-collaborative-and-serverless-framework-for-orchestrating-a-geographically-distri…

Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part6. File Upload(Low to High).

HTB impossible password write-up