2 May 2019

Walkthrough Dc1 Vulhub Machine

Hi all,

This is a walkthrough of a vulnhub machine.


  1. Arp-scanning
  2. Nmap scanning
  3. Exploring port 80
  4. Finding the CMS
  5. Searchsploit.
  6. Exploiting CMS Metasploit.
  7. Privilege Escalation through SUID bit.

Let’s start this

Starting from arp-scanning for finding the IP addresses on the network. Command:- arp-scan -l

After finding the IP address, I started NMAP (a Powerfull Network Mapping Tool).

 `Command:- nmap -sC -sV <ip>`
 `-sC: Run Nmap Common Scripts`
 `-sV: For determining the service Versions.`

Here are the NMAP results.

Starting from 80 port, I saw Drupal was using. And it was Drupal 7.

After searching vulnerability through searchsploit. I come to know that it was Vulnerable.

It was vulnerale to Drupalgeddon Exploit. I checked it if its present in Metasploit.

And yes. So I quickly use that exploit, and run that.

Now, we got a shell, after seeing the user id by getuid it was a normal user.

Escalating Privileges

So, my next target was to escalate my privileges to root. I checked if the kernel is vulnerable by uname -a but it was not.
So I move to the second way, I checked to what programs are have SETUID permission set.
Setuid is a special file permission in unix/Linux, which permits the user to run that program with higher privileges.

`Command:- find / -perm -u=s 2>/dev/null`
`-perm is for permission`
`-u=s means it defines if the file owner have setuid big set.`
`2>/dev/null will throwout any error to /dev/null.`

So this outputs all the programs which uses SETUID permission as you can see below.

There are many programs which have SETUID permissions. Now How do we find our program which makes us privileged?
Basically you need to find those programs which can allow you to escape to the shell OR in other words they have interactive mode.

So in find utility -i allow us to escape to the shell.
Command: find /home -exec /bin/sh -i \;

Now this find command will exec /bin/sh shell in root mode, hence we have the root privileges into the shell.

And yes!. We got a root shell :)

That’s it. Thanks for your time for reading this.

Have a good day. :)