🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. Vulnhub Walkthroughs
  2. DC Series

DC-1

https://www.vulnhub.com/entry/dc-1,292/

PreviousDC SeriesNextDC-2

Last updated 1 year ago

Was this helpful?

Lets start with an nmap scan as always. I am running this machine in virtualbox with an isolated network.

nmap -A -p- 10.6.6.18 Starting Nmap 7.93 ( ) at 2023-06-04 10:07 PDT Nmap scan report for DC-1.cyber.range (10.6.6.18) Host is up (0.044s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4d659e6774c227a961660678b42488f (DSA) | 2048 1182fe534edc5b327f446482757dd0a0 (RSA) |_ 256 3daa985c87afea84b823688db9055fd8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-title: Welcome to Drupal Site | Drupal Site |_http-generator: Drupal 7 () | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 35298/tcp6 status | 100024 1 41056/udp6 status | 100024 1 45049/tcp status |_ 100024 1 49811/udp status 45049/tcp open status 1 (RPC #100024) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds

Alright lets take a look at port 80

Alright pretty standard drupal login page. Lets have a look at Wappalyzer

Drupal 7. Fireup msfconsole and search for drupal 7 exploits.

I tried 0 first but it didn't work. 1 was successful and I got a shell.

Hmm ok. Lets have a look at the home directory.

Well I skpped over the other flags (there are 5 on this machine). I ran linpeas.sh and saw that I could use find to gain root. And that's what I did. Low hanging fruit for the win!

If you want to do some password cracking you can find some hashes in flags 2 and 3. Heres how to do it.

After poking around for flag2 I found it in settings.php

Login to mysql

show tables produces a pretty long list. I went for users as that seemed pretty straight forward.

And we have two users. admin and fred along with their hashes. I used hashcat to crack both password hashes.

You can use this password to login to the admin panel and read flag3.

I did try cracking roots hash but failed. However, the user flag4...well his password isn't so secure.

With this you can login via ssh and read roots flag and gain root privilege.

This box is begginer friendly with some pretty basic enumeration. Once you gain initial access privilege escalation is just one command. Stay tuned for DC-2!

I went to and used this method to read /etc/shadow.

https://gtfobins.github.io/gtfobins/find/
https://nmap.org
http://drupal.org
https://nmap.org/submit/