Pentesting – VulnHub: DC-1

Posted by

VulnHub is a fantastic starting point for those who are beginners to pentesting. All the machines that we’ll be hacking into are available as .ova downloads on VulnHub. I usually always import them into VMware Workstation, just because I’m more comfortable with Workstation than VirtualBox. Also, I’ll be using Kali Linux as my attacking machine.

The vulnerable machine that we’ll be using in this article is available here.

Note: The methodologies and tools that you learn from pentesting have real world applications. Do not attempt to try and hack into machines you’re not authorized to. I will not be held responsible for your actions.

Finding IP Address of DC-1

After powering up the machine in Workstation, the first step is to determine its IP address. We’ll need the IP address for all communications with DC-1. My personal choice is netdiscover.

So, the IP address of DC-1 is 192.168.248.144. Let’s modify our /etc/hosts file on Kali to reflect this.

Deep Nmap Scan

Now that we know the IP address of DC-1, we’ll scan it more deeply to get more information out of it. I have written a port scan bash script which is basically two nmap scans. The first scan determines open ports and the second scan uses the -A flag on those ports.

From the nmap scan, we can note the following:

  • Software: OpenSSH 6.0p1 Debian 4+deb7u7, Apache httpd 2.2.22, Drupal 7
  • OS: Linux 3.X

OpenSSH 6.0p1 was released on 2012-04-22, which is quite old so there might be vulnerabilities in it. However, we have more interesting and possibly easy entry options through port 80, so let’s go for that route first.

Port 80

Port 80 served a Drupal login form

From the nmap scan, we know the robots.txt file contains many entries, so let’s look into that.

It looks like the interesting pages like /admin and /cron.php are behind the login page that we saw.

For now, I don’t see any point in running dirbuster or other website directory enumeration tools since robots.txt gave us information about it.

Searchsploit

Let’s see if searchsploit gives us any interesting Drupal 7 exploits that we can use to log into the web application.

Let’s look at 'Drupalgeddon' SQL Injection (Add Admin User).

Looks like it was a success! We’re now logged into the web application as a Drupal 7 admin user. Our next aim is to find a location where we can upload a shell script.

Initial Access – Shell Upload and Execute

I found an article through Google-fu which outlines how to upload a shell on Drupal 7. Besides the steps in the article, there’s one additional step in our situation – to allow permissions for all users on the PHP filter module.

Once that is done, you’ll have a page like the following:

Upload a simple PHP reverse shell. Remember to change the IP address to your Kali’s IP. You can also change the port number if you feel like doing so.

Start a netcat listener on Kali: sudo nc -nlvp 443 and execute the shell from the browser (or even curl).

Nice! We now have a low privilege www-data user shell. Our next step would be to find a way to escalate privileges to another user or even root if possible.

In the raw shell that we receive on our netcat listener, you’ll notice that there is no auto-complete feature, command history, etc. But we can get all of those nice things! Follow these steps:

Privilege Escalation

Let’s find all programs which have the SUID bit set. I search for them specifically because when they are executed, they run with the privileges of their owner. If the owner is root and the program itself is vulnerable, we have a chance of escalating our privileges to root.

Focus on the /usr/bin/find program. find allows you to execute commands. In this case, it has the SUID bit set and it will run with root privileges. Nice! Let’s head off to GTFOBins to find how to exploit this weakness.

So, the command that will (hopefully) give us root shell is /usr/bin/find . -exec /bin/sh \; -quit. I omitted the -p flag because DC-1 is a Debian machine (verify with uname -a command).

Nice! We have root shell and we have successfully compromised the DC-1 machine!

Thank you for reading!

In this article, I gave you a small glimpse into the pentesting world. The methodology that we used in this article was very simple. We got a login form; got an exploit to get in; easily uploaded a shell; easily escalated privileges. This was a very simple machine to crack, even though you may not feel so at this point and that’s okay! You’re learning and I feel your pain!

Things will start getting spicy in the coming weeks, so hold on tight! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Feature image credit: https://www.360logica.com/blog/different-methodologies-penetration-testing/

Leave a Reply

Your email address will not be published.