Tovi Jaeschke

Links:

Recent posts:

DC-1 Vulnhub CTF Walkthrough

Walkthrough for the DC-1: 1 vulnhub CTF

Recon

I started by finding the IP address of the VM using nmap.


nmap -sL 10.1.1.1/24
...
Nmap scan report for DC-1.lan (10.1.1.43)
...

Once I know the IP address is 10.1.1.43, I scan it with nmap with the -sV and -p- flags, which lists out the service information of posts 1 to 65535.


nmap -sV -p- 10.1.1.43
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-12 13:16 ACDT
Nmap scan report for DC-1.lan (10.1.1.43)
Host is up (0.00010s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
48280/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:7B:44:9C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds

After finding out that port 80 is open, I open my web browser to have a look around, to find that it is running drupal.

Exploitation

I start by doing a few scans with nikto and dirb, however I dont find much in terms of flags, so I move on to exploiting the drupal site. I use the Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) exploit to create a new admin user, so I can have a bit more of a look at the site.

After a bit of poking around, I found flag3, which indicated that the privilege escalation would involve a file with incorrect file permissions, and would use the -exec argument (which is unique to the "find" command). I didn`t find much else, so I then move onto using the Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) exploit.

Now that I had a shell, I looked around in the website root directory for the remaining flags.

After that, I used the find command to look for a file with the SUID bit set. After finding that the find command has the SUID bit set, I check it with running "whoami" as the -exec command, then spawn a /bin/sh shell, to read the final flag located in /root/.