In this DC-1 vulnhub walkthrough I demonstrate how to exploit the running services on DC-1 and escalate privileges to capture the root flag. I also show why Docker is taking shape to enable powerful applications to be run for the purposes of ethical hacking.
Realizing how easy Docker makes running complex applications raises the question, what can it do for ethical hacking? In this article I demonstrate how one application can do just that.
Docker makes it easy to run applications in containers. Just take a look at therecipe/qt the perfect example of why you should be using Docker. There are pages and pages of dependencies that need to be installed in order to use qt. What did he do to make it easier? Docker. Instead of getting involved in hours of installation of dependencies and praying that nothing at all goes wrong, docker. The whole process can be done by this docker pull. The container then runs by doing another oneliner, docker -build.
Want to start using Docker for developing professional-looking apps? Read the article now! https://ethicalhackingguru.com/learn-go-one-hour-writing-gui-app/
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine (VirtualBox)
- DC-1 Virtual Machine from vulnhub
Droopescan & Docker
Since Docker is installed by default in Kali Linux the only thing to do is to get droopescan. Clone the git file from the repository from Github. Change into the new directory to advance to the next step.
$ git clone https://github.com/droope/droopescan.git
$ cd droopescanThe next step is to build. The build command tells Docker to build a new Docker image based on an existing Dockerfile. If you look at the droopescan repository the one there holds all the commands Docker needs to build the droopescan image. Take a look at the Dockerfile.
Simply start the Docker service to get started. Issue the build command. The t flag means “tag” the image with a name. In this case the name is droope/droopescan.
# restart the docker service
$ sudo service docker restart
# build
$ docker build -t droope/droopescan .
Now that the image is built there is a usable Docker container that can be started with the run command. The rm flag means remove the container files at the end of running. It saves disk space and it is geared towards running a container to do a short task. Perfect for this example.
$ docker run --rm droope/droopescan scan drupal -u http://10.0.2.6Exploit without using Metasploit
For those preparing for the OSCP exam, the use of Metasploit is avoided if possible.
$ searchsploit -m 34992The exploit found in exploitdb is 34992. It exploits a SQLi (SQL injection) vulnerability in order to add a new administrator user to the Drupal site.
Exploiting Drupal to get a shell
Login as Hacker
Login as the newly created administrator user hacker with the password pass.
So you have administrative access to the Drupal site but how does that lead to a remote shell back to Kali Linux? The easy solution is to add a new module that adds a new feature to the site which is an interactive webshell. To do so get the shell module from https://www.drupal.org/project/shell then uploading it to the Drupal site using the admin interface.
The newly installed module now needs to be enabled to work.
And now find the shell by revisiting the home page of the site and finding the shell tab.
Once you open a new webshell it is time to open a connection back to Kali Linux. Start a netcat listener on port 1234. Kick off a connection back to it from the shell on the Drupal site by using netcat -exec (-e) to send a shell.
Linux Privilege Escalation
Misconfigurations in Linux security settings lead to abuse of privileges and privilege escalation. Looking through all these settings is time consuming and that is why I rely on automated tools to do the leg work. One such tool is Lineum https://github.com/rebootuser/LinEnum upload it to Drupal webshell using wget to a local Python webserver python -m SimpleHTTPServer 80.
Interesting SUID Files
The output of linenum reveals that the SUID bit is set on one of the Linux native binaries find. The file appears to be owned by root. Running the process and abusing the inputs it can accept leads to a root bash shell.
Run the exec parameter to find and open a new bash shell as root.
