# DC-1 Lets start with an nmap scan as always. I am running this machine in virtualbox with an isolated network. nmap -A -p- 10.6.6.18\ Starting Nmap 7.93 ( ) at 2023-06-04 10:07 PDT\ Nmap scan report for DC-1.cyber.range (10.6.6.18)\ Host is up (0.044s latency).\ Not shown: 65531 closed tcp ports (conn-refused)\ PORT STATE SERVICE VERSION\ 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)\ \| ssh-hostkey:\ \| 1024 c4d659e6774c227a961660678b42488f (DSA)\ \| 2048 1182fe534edc5b327f446482757dd0a0 (RSA)\ |\_ 256 3daa985c87afea84b823688db9055fd8 (ECDSA)\ 80/tcp open http Apache httpd 2.2.22 ((Debian))\ |\_http-title: Welcome to Drupal Site | Drupal Site\ |\_http-generator: Drupal 7 ()\ \| http-robots.txt: 36 disallowed entries (15 shown)\ \| /includes/ /misc/ /modules/ /profiles/ /scripts/\ \| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt\ \| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt\ |\_/LICENSE.txt /MAINTAINERS.txt\ |\_http-server-header: Apache/2.2.22 (Debian)\ 111/tcp open rpcbind 2-4 (RPC #100000)\ \| rpcinfo:\ \| program version port/proto service\ \| 100000 2,3,4 111/tcp rpcbind\ \| 100000 2,3,4 111/udp rpcbind\ \| 100000 3,4 111/tcp6 rpcbind\ \| 100000 3,4 111/udp6 rpcbind\ \| 100024 1 35298/tcp6 status\ \| 100024 1 41056/udp6 status\ \| 100024 1 45049/tcp status\ |\_ 100024 1 49811/udp status\ 45049/tcp open status 1 (RPC #100024)\ Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel\ \ Service detection performed. Please report any incorrect results at .\ Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds
Alright lets take a look at port 80

Alright pretty standard drupal login page. Lets have a look at Wappalyzer

Drupal 7. Fireup msfconsole and search for drupal 7 exploits.

I tried 0 first but it didn't work. 1 was successful and I got a shell.

Hmm ok. Lets have a look at the home directory.

Well I skpped over the other flags (there are 5 on this machine). I ran linpeas.sh and saw that I could use find to gain root. And that's what I did. Low hanging fruit for the win!

If you want to do some password cracking you can find some hashes in flags 2 and 3. Heres how to do it. After poking around for flag2 I found it in settings.php

show tables produces a pretty long list. I went for users as that seemed pretty straight forward.

And we have two users. admin and fred along with their hashes. I used hashcat to crack both password hashes.

You can use this password to login to the admin panel and read flag3.

I went to and used this method to read /etc/shadow.

I did try cracking roots hash but failed. However, the user flag4...well his password isn't so secure.

With this you can login via ssh and read roots flag and gain root privilege.

This box is begginer friendly with some pretty basic enumeration. Once you gain initial access privilege escalation is just one command. Stay tuned for DC-2!