DC-1 Vulnhub Walkthrough

DC-1 Vulnhub – Description

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing. It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn. To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS. There are multiple ways of gaining root, however, some flags have been included containing clues for beginners. There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.

Methodology:

• IP Discovery using netdiscover
• Network scanning (Nmap)
• Surfing HTTPS service port (80)
• Finding Drupal CMS
• Exploiting Drupalgeddon2 to get a reverse shell
• Finding files with SUID bit set
• Finding the “find” command with SUID bit set
• Getting root shell with “find” command
• Getting final flag
• Using nmap to find opened ports & running services.
• Detecting technologies used to build web apps.
• Checking robots.txt file.
• Searching & using public exploits.
• Uploading shell to drupal CMS.
• Creating reverse shell using ncat (nc).
• Privilege escalation using SUID binaries.
• Collect important information from PHP configuration files.
• Cracking Linux credentials.

Brutefotce

• root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 10.0.2.6 ssh
• root@kali:~# ncrack -p 22 –user root -P /usr/share/wordlists/rockyou.txt 10.0.2.6

Drupal 7

Creating admin user serachsploit

python /usr/share/exploitdb/exploits/php/webapps/34992.py

Shell https://www.drupal.org/project/shell

Drupageddon2

Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject (Read more...)