DC-1 Box from OffSec’s Proving Ground

Cyb0rgBytes here back again with another write up, As always and in every penetration testing engagement we start by the first phase which is information gathering.

our handy tool for this task is nmap, using the tool as follows:

Scanning using nmap tool.

From the scan we get the following results:

Nmap’s Scan Results.

I noticed that there is an open port on HTTP “port 80” by looking at the webpage I could find that there is a CMS to be precise a Drupal CMS, the version of that CMS is 7 so I searched with searchsploit with the following keyword: searchsploit Drupal I got the following exploits:

Exploits found using searchsploit tool and exploitDB

From this screenshot, we have a variety of options to try out I tried one of them but it didn’t go through so moving on.

what really helps in these engagements is finding more and more about the target, right here enumeration plays a vital role in our strategy. by running gobuster “an Enumeration tool for scanning for web directories” we find the following web directories >

Enumeration Results.

from this list we find an admin page which seems interesting

later on and after a bit of looking around, I found out as I mentioned before that the Drupal CMS version is 7 and there is an exploit that could be automated and used by metasploit that can be used to our advantage :

Using the exploit to land a foothold.

the exploit exploits a Drupal property injection in the forms API, these versions are affected:

Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.

and there we go, shell initiated.

since we got our initial foothold on the box lets move on to our next stage in our attack, which is privilege escalation, where in that process we reach root!

lets use an automation tool for our strategy, it’s called linpeas

lets first go to the /tmp directory :

and from our box host a python server so we can grab the script directly from our box.

Spawning a python TTY Shell. and going to the /tmp directory.

Hosting a python server on our own machine.

by scrolling around linpeas privilege escalation results we discovered a possible PE Vector, which is using “find” /usr/bin/find

by going to gtfobins.github.io we can find the right command to grant us the root shell we desire.

• find . -exec /bin/sh \; -quit

Finally gaining root!

Thanks for reading until now, you’re a legend!

I’d like to thank everyone for reading my content, I work really hard on documenting these writeups so it would be highly appreciated if you star my stories if you like them, feel free to check the other stories they are superb!

also I want to mention that im enrolled in Medium’s Partner program recently, thanks everyone for the support and see you in the next one!