Vulnhub Series →DC-1

Greetings,

I’m Neelesh, The pwned machine is first part of DC series from Vulnhub-Offensive Security. So let’s get started!

Initially after arp scan, we got the target IP and exported the target IP as environment variable and started the nmap scan:

Clearly, by looking at the results we jumped to port 80 which is CMS based drupal site although it was already verified in nmap scan

We have to enumerate, since the initial enumeration sprays didn’t work (eg. default passwords sprays). But then we scanned the site with droope scan

We found some interesting stuffs like CMS versions, after enum through searchsploit we found:

As per searchsploit results we shot the msfconsole and filled up with required options for meterpreter session:

During post enumeration, we found a flag4.txt as shown:

While enumeration we checked netstat but nothing interesting came up so far.But after checking up SUID permissions we got:

and clearly, we are root and the PoC of becoming root is shown below:

→→→→→→→→→→→→→

That’s all for now!

Until Next Time,

Do Good and Good will come to you

→→→→→→→→→→→→→

Feel free to ping me anytime

Linkedin: https://www.linkedin.com/in/user-neeleshpatel/

Twitter: https://twitter.com/neelesh________

→→→→→→→→→→→→→