VulnHub is a fantastic starting point for those who are beginners to pentesting. All the machines that we’ll be hacking into are available as .ova
downloads on VulnHub. I usually always import them into VMware Workstation, just because I’m more comfortable with Workstation than VirtualBox. Also, I’ll be using Kali Linux as my attacking machine.
The vulnerable machine that we’ll be using in this article is available here.
Note: The methodologies and tools that you learn from pentesting have real world applications. Do not attempt to try and hack into machines you’re not authorized to. I will not be held responsible for your actions.
Finding IP Address of DC-1
After powering up the machine in Workstation, the first step is to determine its IP address. We’ll need the IP address for all communications with DC-1. My personal choice is netdiscover
.

So, the IP address of DC-1 is 192.168.248.144
. Let’s modify our /etc/hosts
file on Kali to reflect this.

Deep Nmap
Scan
Now that we know the IP address of DC-1, we’ll scan it more deeply to get more information out of it. I have written a port scan bash script which is basically two nmap scans. The first scan determines open ports and the second scan uses the -A
flag on those ports.

From the nmap
scan, we can note the following:
- Software:
OpenSSH 6.0p1 Debian 4+deb7u7, Apache httpd 2.2.22, Drupal 7
- OS:
Linux 3.X
OpenSSH 6.0p1
was released on 2012-04-22
, which is quite old so there might be vulnerabilities in it. However, we have more interesting and possibly easy entry options through port 80
, so let’s go for that route first.
Port 80
Port 80
served a Drupal login form

From the nmap
scan, we know the robots.txt
file contains many entries, so let’s look into that.

It looks like the interesting pages like /admin
and /cron.php
are behind the login page that we saw.
For now, I don’t see any point in running dirbuster
or other website directory enumeration tools since robots.txt
gave us information about it.
Searchsploit
Let’s see if searchsploit
gives us any interesting Drupal 7
exploits that we can use to log into the web application.

Let’s look at 'Drupalgeddon' SQL Injection (Add Admin User)
.


Looks like it was a success! We’re now logged into the web application as a Drupal 7
admin user. Our next aim is to find a location where we can upload a shell script.
Initial Access – Shell Upload and Execute
I found an article through Google-fu which outlines how to upload a shell on Drupal 7
. Besides the steps in the article, there’s one additional step in our situation – to allow permissions for all users on the PHP
filter module.

Once that is done, you’ll have a page like the following:

Upload a simple PHP
reverse shell. Remember to change the IP address to your Kali’s IP. You can also change the port number if you feel like doing so.

Start a netcat listener on Kali: sudo nc -nlvp 443
and execute the shell from the browser (or even curl
).


Nice! We now have a low privilege www-data
user shell. Our next step would be to find a way to escalate privileges to another user or even root
if possible.
In the raw shell that we receive on our netcat listener, you’ll notice that there is no auto-complete feature, command history, etc. But we can get all of those nice things! Follow these steps:

Privilege Escalation
Let’s find all programs which have the SUID bit set. I search for them specifically because when they are executed, they run with the privileges of their owner. If the owner is root
and the program itself is vulnerable, we have a chance of escalating our privileges to root
.

Focus on the /usr/bin/find
program. find
allows you to execute commands. In this case, it has the SUID bit set and it will run with root
privileges. Nice! Let’s head off to GTFOBins to find how to exploit this weakness.

So, the command that will (hopefully) give us root
shell is /usr/bin/find . -exec /bin/sh \; -quit
. I omitted the -p
flag because DC-1 is a Debian
machine (verify with uname -a
command).

Nice! We have root
shell and we have successfully compromised the DC-1 machine!
Thank you for reading!
In this article, I gave you a small glimpse into the pentesting world. The methodology that we used in this article was very simple. We got a login form; got an exploit to get in; easily uploaded a shell; easily escalated privileges. This was a very simple machine to crack, even though you may not feel so at this point and that’s okay! You’re learning and I feel your pain!
Things will start getting spicy in the coming weeks, so hold on tight! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credit: https://www.360logica.com/blog/different-methodologies-penetration-testing/