- Published on
Vulnhub - DC 1
Today, We are going to pwn DC 1 by DCAU7 from Vulnhub
Description
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing. It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn. To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS. There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners. There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges. Depending on your skill level, you may be able to skip finding most of these flags and go straight for root. Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
Download Link : https://www.vulnhub.com/entry/dc-1,292/
Lets Begin with our Initial Scan
Nmap Scan Results
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
33699/tcp open unknown
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33699/tcp status
| 100024 1 34071/udp6 status
| 100024 1 37756/tcp6 status
|_ 100024 1 57057/udp status
33699/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:85:58:A6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Since there is a HTTP port open , Lets start our Gobuster
Gobuster Results
While checking the webpage it is a Drupal CMS which is one of the well know CMS.
It is drupal site so we can use droopescan
It show us some possible versions, Lets search for any exploits available for them
Method 1 (Metasploit)
While searching in metasploit , there are more than 5 exploits so i started testing them one by one! 
And finally this one works
unix/webapp/drupal_drupalgeddon2
We got a shell
Method 2
Searchsploit give us some exploits too We know the version will be between 7.2x - 7.2x So I randomly chose one and started testing it 
while reading the description of it, we can create our own admin account
-u for username
-p for password
-t for url
And I created a new admin user lets try login
Successfully Logged in
To get a reverse shell we can add a module which help us to get the shell
We need to do is go to the module section
Add New Module
Once installed go the module and click the shell
Now we can get reverse shell by using netcat
Flag 1
While checking for any default cred in /var/www , found Flag 2
Flag 3
Found it on the website
Got Flag 4 From /home
Privilege Escalation
Now we need to Privilege Escalation, I uploaded my Linux Enumeration Script And found an SUID binary 
GTFOBins Helps to get root
sudo find . -exec /bin/sh ; -quit
Flag 5
We got the ROOT!!