VulnHub DC-1  - VulnHub DC 1 696x399 - Vulnhub DC-1 CTF Writeup : All 5 Flags

Vulnhub DC-1 CTF Hacking Challenge. With DC-1 machine from Vulnhub we learn Hacking a bit more closely like you are hacking a real machine.

I have all the steps and screenshots along with the output here , which will reduce any confusion , the writeup may seem long due to many screenshots but is actually a 10 minutes to do thing.

Download the VulnHub DC-1 Machine – https://www.vulnhub.com/entry/dc-1,292/

Discover machine on network by netdiscover or nmap range scanning
netdiscover your whole network or if you know the interface on which vmware is connected vmnet0, vmnet1 (Host-Only) or vmnet8(NAT)
netdiscover -i vmnet8
Added machine IP to /hosts file with name dc-1
now run nmap scan to get what are the ports open, services running and their version numbers

Now on running the nmap command in terminal the Output is

nmap scan of dc-1  - Vulnhub DC 1 9 - Vulnhub DC-1 CTF Writeup : All 5 Flags

So from above nmap result we see we have Drupal 7 hosted at port 80
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian)) Running Drupal
111/tcp open rpcbind 2-4 (RPC #100000)

We have some surface here and we proceed with Drupal, opening the Mahcine IP in our browser to explore Drupal 7.
We can try some user enumeration to see if we are lucky on Drupal Login page.
Or jump to to see if we have anything in our arsenal against Drupal 7.

Vulnhub DC-1 Drupal 7  - Vulnhub DC 1 10 - Vulnhub DC-1 CTF Writeup : All 5 Flags

In metasploit we search Drupal Exploits

Search drupal in metasploit  - Vulnhub DC 1 12 - Vulnhub DC-1 CTF Writeup : All 5 Flags

From the list we get, we choose one of the exploits and use it by use exploit

- Vulnhub DC 1 14 - Vulnhub DC-1 CTF Writeup : All 5 Flags

We should choose one with Rank Excellent, altough not mandatory.
So we choose – > exploit/multi/http/drupal_drupageddon
in msfconsole type – use exploit/multi/http/drupal_drupageddon
To see available options in this particular exploit type show options.

set RHOST as dc-1 or the machine IP

- Vulnhub DC 1 17 - Vulnhub DC-1 CTF Writeup : All 5 Flags

Now we are all set to launch the exploit so type run or exploit.

- Vulnhub DC 1 24 - Vulnhub DC-1 CTF Writeup : All 5 Flags

Finally we have a reverse meterpreter shell here.So once we are in the machine the one thing to do is find who you are : user, this will let us know our permission. Type getuid

Going through files in current directory by ‘ls’ gave us our first flag1.txt

flag1  - Vulnhub DC 1 27 - Vulnhub DC-1 CTF Writeup : All 5 Flags

Viewing the contents of flag1.txt we get another hint. Pointing towards the Drupal CMS Config file.

- Vulnhub DC 1 30 - Vulnhub DC-1 CTF Writeup : All 5 Flags

I searched on Google to know that Drupal Config File is at – sites/default/settings.php

- Vulnhub DC 1 32 - Vulnhub DC-1 CTF Writeup : All 5 Flags

We view the content of file settings.php again we type cat settings.php

- Vulnhub DC 1 33 - Vulnhub DC-1 CTF Writeup : All 5 Flags

Here we get our second flag on top of the file, which is also the username and password to drupal database of dc-1

Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?

We spawn a python shell to access database, a ttp or pseudo-tty shell.

We browse the drupal database now. Find something worth here.

- Vulnhub DC 1 37 - Vulnhub DC-1 CTF Writeup : All 5 Flags
- Vulnhub DC 1 39 - Vulnhub DC-1 CTF Writeup : All 5 Flags

So we explore drupal db further, we might have some usernames and passwords here.

We check the users table if we get anything here.

- Vulnhub DC 1 41 - Vulnhub DC-1 CTF Writeup : All 5 Flags

So we have username and password in form here which we will ofcourse try to decode by hashcat or any other application of your choice, which you prefer.

I have copied the hash into a seperate file say hash.txt and I will use one of the Kali Linux default wordlist – rockyou.txt. You can locate rockyou .txt by locate rockyou.txt

After the hash is decrypted we know the admins password is – 53cr3t

So now we login to Drupal Website of dc-1 and explore further , under contents menu we find the third flag – flag3 which says

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.

- Vulnhub DC 1 44 - Vulnhub DC-1 CTF Writeup : All 5 Flags
- Vulnhub DC 1 45 - Vulnhub DC-1 CTF Writeup : All 5 Flags

The SUID bit allows an application to be run as root, even when a different user is running it. So run the command to find out.

- Vulnhub DC 1 46 - Vulnhub DC-1 CTF Writeup : All 5 Flags

So we see find command has SUID bit set, we can execute find command as root, we earlier saw we are actually www-data , but executing find will run it as root.

We take a look at passwd file, that is always an interesting thing to do in Linux.

Guess what, we see flag4 in passwd file. So we again crack the password , which is a hash. Same as earlier use john or hashcat….

- Vulnhub DC 1 48 - Vulnhub DC-1 CTF Writeup : All 5 Flags
the flag4 values are altered in pic because I was having fun with the machine.

Now the final flag, lets navigate to /root. and We see an error, so lets elevate our privileges. Lets check if we can.

- Vulnhub DC 1 49 - Vulnhub DC-1 CTF Writeup : All 5 Flags

now check user by whoami — and we are root
Lets get the final flag.

- Vulnhub DC 1 55 - Vulnhub DC-1 CTF Writeup : All 5 Flags

So this Vulnhub machine is done, we will post more interesting CTFs soon. and each steps in every CTF will be covered in detail in a separate post.



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here