DC-1: Vulnhub Walkthrough
Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
- IP Discovery using netdiscover
- Network scanning (Nmap)
- Surfing HTTPS service port (80)
- Finding Drupal CMS
- Exploiting Drupalgeddon2 to get a reverse shell
- Finding files with SUID bit set
- Finding the “find” command with SUID bit set
- Getting root shell with “find” command
- Getting final flag
Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
We found our target –> 192.168.1.104
Our next step is to scan our target with nmap.
nmap -sV 192.168.1.104
The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run
After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.
python -c 'import pty; pty.spawn("/bin/bash")' find / -perm -u=s -type f 2>/dev/null
As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.
After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.
touch raj find raj -exec "whoami" \; find raj -exec "/bin/sh" \;
Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here
Hi Raj,
nice walktrhough, but few questions:
1. would you also be able to get the same shell without using metasploit?
2. I didn’t really get the last part of the walkthrough.
What exactly does “find / -perm -u=s -type f 2>/dev/null” do? and how do you find a SUID bit set?
Also I didn’t really understand the thing with find. How can you execute commands over find or why don’t you just run the commands directly?
Okay, then you spawn a shell as rot with /bin/bash, the rest is clear, but yeah, it would be nice if you could help me out understanding it! 🙂
bro , he is checing suid bit set files using this command
find / -perm -u=s -type f 2>/dev/null
and he noticed find is having suid permissions
so he can run it with high privileges
There is one more flag
file name : flag4.txt
There is flag3 in Drupal Website. After spawning the shell, we can use Drush command to reset password of “admin” and read it. Thank Raj, you are amazing.