{"id":259,"date":"2025-07-09T18:59:51","date_gmt":"2025-07-09T18:59:51","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=259"},"modified":"2025-07-09T18:59:51","modified_gmt":"2025-07-09T18:59:51","slug":"ctf-dc-1-dc-2-dc-3-easy","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=259","title":{"rendered":"CTF: DC-1, DC-2, DC-3 (easy)"},"content":{"rendered":"\n

As part of my prep for the CEH Practical<\/strong>, I wanted to sharpen my enumeration and exploitation workflow with realistic machines. The DC series<\/strong> on VulnHub offers exactly that \u2014 legal, local, and logically progressive CTFs. In this post, I walk through DC-1<\/strong>, DC-2<\/strong>, and DC-3<\/strong>. No fancy tools needed \u2014 just good ol\u2019 enumeration, exploitation, and a bit of patience.<\/p>\n\n\n\n

DC-1<\/h1>\n\n\n\n

Enumeration<\/h2>\n\n\n\n

Starting off with an Nmap scan:<\/p>\n\n\n\n

\u250c\u2500\u2500(venv)\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/bulldog\/ssh-user-enumeration]\n\u2514\u2500$ nmap -sCV -T4 -A -p- -Pn 10.0.2.16\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-04 09:17 EDT\nNmap scan report for 10.0.2.16\nHost is up (0.00058s latency).\nNot shown: 65531 closed tcp ports (reset)\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)\n| ssh-hostkey: \n|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)\n|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)\n|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)\n80\/tcp    open  http    Apache httpd 2.2.22 ((Debian))\n|_http-title: Welcome to Drupal Site | Drupal Site\n|_http-generator: Drupal 7 (http:\/\/drupal.org)\n| http-robots.txt: 36 disallowed entries (15 shown)\n| \/includes\/ \/misc\/ \/modules\/ \/profiles\/ \/scripts\/ \n| \/themes\/ \/CHANGELOG.txt \/cron.php \/INSTALL.mysql.txt \n| \/INSTALL.pgsql.txt \/INSTALL.sqlite.txt \/install.php \/INSTALL.txt \n|_\/LICENSE.txt \/MAINTAINERS.txt\n|_http-server-header: Apache\/2.2.22 (Debian)\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          34218\/udp   status\n|   100024  1          50230\/udp6  status\n|   100024  1          57989\/tcp6  status\n|_  100024  1          60111\/tcp   status\n60111\/tcp open  status  1 (RPC #100024)\nMAC Address: 08:00:27:94:27:DF (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 2.6.X|3.X\nOS CPE: cpe:\/o:linux:linux_kernel:2.6 cpe:\/o:linux:linux_kernel:3\nOS details: Linux 2.6.32 - 3.10, Linux 3.2 - 3.16\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\n\n\n
Drupal 7 on port 80 caught my eye \u2014 classic.<\/p>\n\n\n\n
Initial Access<\/h2>\n\n\n\n
Homepage confirmed Drupal 7. A quick search led me to Drupalgeddon2 <\/a>a known exploit:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Manual PoC gave a shaky shell, so I used Metasploit<\/strong>:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This gave me a stable Meterpreter session<\/strong>. From there, I found Flag #1<\/strong> and a hint about Drupal\u2019s default config. In sites\/default\/settings.php<\/code>, I found Flag #2<\/strong> along with the MySQL root credentials.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This revealed a helpful hint suggesting not<\/strong> to brute-force and even provided the database credentials<\/strong>, so I proceeded to connect to MySQL. That\u2019s where I hit a snag \u2014 turns out I didn\u2019t really know how to properly interact with Meterpreter<\/strong>… oops. After about 30 minutes of trial and error, I realized I first needed to type shell<\/code> in Meterpreter to spawn a proper interactive shell<\/strong>. With that in place, I could finally run the MySQL client and inspect the database.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
After selecting the users<\/code> table, I found another hint tucked away inside:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This hint pointed me toward checking UID permissions<\/strong> \u2014 time to look for binaries with special privileges:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Getting root<\/h2>\n\n\n\n
I spotted find<\/code> with the setuid bit<\/strong> \u2014 game on:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Instant root shell<\/strong>. Final flag captured.<\/p>\n\n\n\n
DC-2<\/h1>\n\n\n\n
Enumeration<\/h2>\n\n\n\n
Same Nmap flow:<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nmap -sCV -T4 -A -p- -Pn 10.0.2.17\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-07-08 05:44 EDT\nNmap scan report for 10.0.2.17\nHost is up (0.00074s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT     STATE SERVICE VERSION\n80\/tcp   open  http    Apache httpd 2.4.10 ((Debian))\n|_http-title: Did not follow redirect to http:\/\/dc-2\/\n|_http-server-header: Apache\/2.4.10 (Debian)\n7744\/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)\n| ssh-hostkey: \n|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)\n|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)\n|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)\n|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)\nMAC Address: 08:00:27:CF:C2:82 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.74 ms 10.0.2.17\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 33.62 seconds<\/code><\/pre>\n\n\n\n
Finding SSH running on port 7744<\/strong> was definitely unexpected, but as usual, I started by checking out the web server<\/strong> first. The basic homepage and the results from Gobuster<\/strong> confirmed it was a standard WordPress installation<\/strong>. Surprisingly, the first flag<\/strong> was just sitting there in plain sight \u2014 a freebie!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
so lets create a custom wordlist with cewl<\/code> based on the site’s content: <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/dc-2]\n\u2514\u2500$ cewl dc-2 -w wordlist.txt\nCeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https:\/\/digi.ninja\/)\n                                                                                                                       \n\u250c\u2500\u2500(kali\u327fkali)-[~\/Downloads\/ctf\/dc-2]\n\u2514\u2500$ cat wordlist.txt                                \nnec\namet\nsit\nvel\norci\nquis<\/code><\/pre>\n\n\n\n
Alongside the wordlist, we also needed valid usernames<\/strong> \u2014 fortunately, SQLMap<\/strong> has a built-in function to enumerate those:<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ wpscan --url 'http:\/\/dc-2' -e u\n\n[+] admin\n | Found By: Rss Generator (Passive Detection)\n | Confirmed By:\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/dc-2\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)\n\n[+] jerry\n | Found By: Wp Json Api (Aggressive Detection)\n |  - http:\/\/dc-2\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n | Confirmed By:\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)\n\n[+] tom\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n | Confirmed By: Login Error Messages (Aggressive Detection)\n<\/code><\/pre>\n\n\n\n
We can also use SQLMap<\/strong> to perform password spraying:<\/p>\n\n\n\n
[+] Performing password attack on Xmlrpc against 3 user\/s\n[SUCCESS] - jerry \/ adipiscing                                                                                         \n[SUCCESS] - tom \/ parturient                                                                                           \nTrying admin \/ work Time: 00:00:37 <===========================                    > (684 \/ 1160) 58.96%  ETA: ??:??:??\n\n[!] Valid Combinations Found:\n | Username: jerry, Password: adipiscing\n | Username: tom, Password: parturient<\/code><\/pre>\n\n\n\n
Initial Access<\/h2>\n\n\n\n
Got two valid users:<\/p>\n\n\n\n