DC-1

[ vulnhub  ctf  walkthrough  ]

Goal

4 flags + root flag

Download

https://www.vulnhub.com/entry/dc-1-1,292/

Walkthrough

nmap
alt text

default 80, drupal
alt text

nikto shows drupal 7…version file wasn’t found, so drupageddon maybe?
alt text

setup metasploit for drupageddon
alt text

and we have a shell and flag 1
alt text

check out drupal settings.php for db creds, we also get flag 2
alt text

use the creds to get drupal user hashes
alt text

throw hashes at hashcat and get passwords
alt text

flag 3 is found after logging in as admin
alt text

with meterpreter shell there’s a user flag4 and we find flag 4
alt text

with flag 3 hint we see find has suid set
alt text

we’re able to use this to read shadow file
alt text

throw that hash at hashcat and find password
alt text

ssh as flag4 user
alt text

use find to list root directory and get root flag name
alt text

final flag
alt text

Written on April 21, 2019
Share on: