top of page
Search

DC-1 walkthrough

DC-1 is a CTF challenge and it is designed for beginners so that they can gain knowledge about how CTF challenge works.we can download this machine from vulnhub website.

In this artcile we will try to get root access to this machine and will find the final flag.


Walkthrough


So our basic and first step is to find the IP of the machine . To find the IP we run the command : netdicover -i waln0 , here -i means the network interface to sniff and inject packets.

Now let's run nmap to check the open ports in the machine.

command used : nmap -A 192.168.43.17

In the above image we can see that port 22(SSH),80(HTTP),111(rpcbind) are open . So without wasting our time let's open the browser and browser HTTP Service.

As we can see that it is a Drupal website. we tried for SQL injection but it didn't work . So we tried for searching a exploit in metasploit framework and luckily there is an exploit for drupal.

  • use exploit/unix/webapp/drupal_drupalgeddon2

  • show options

  • set RHOST 192.168.43.17

  • exploit




we have a meterpreter session now let's type in shell to get a shell. after getting a shell we typed in ls /usr/bin/python* to check the version of python. the version 2 so we will use python one-liner to get a stable shell.

Now we executed the command which bash to know the bash machine is using and it is /bin/bash so we run the command bash to get a shell. then we change our directory to /home there we find a directory with name flag4 and we change our directory to flag4 then in this directory we have a file with name flag4.txt . we read the content of this file by using the cat command. All the steps are shown in the image clearly.

now we need to gain root access means privilege escalation ,here we try to find SUID binaries by using the command : find / -perm -u=s -type f 2>/dev/null

Now please read the article : https://www.haclabs.org/post/privilege-escalation-using-suid-binaries to know more about SUID binaries and how we get the root shell.

Similarly we executed the /bin/sh command to get the root shell and then we change our directory to root directory and by typing ls we can see a file with name thefinalflag.txt and this is our final flag .

we are root now!

0 comments

Recent Posts