Press enter or click to view image in full size
Cyb0rgBytes here back again with another write up, As always and in every penetration testing engagement we start by the first phase which is information gathering.
our handy tool for this task is nmap, using the tool as follows:
Press enter or click to view image in full size
From the scan we get the following results:
Press enter or click to view image in full size
I noticed that there is an open port on HTTP “port 80” by looking at the webpage I could find that there is a CMS to be precise a Drupal CMS, the version of that CMS is 7 so I searched with searchsploit with the following keyword: searchsploit Drupal I got the following exploits:
Press enter or click to view image in full size
From this screenshot, we have a variety of options to try out I tried one of them but it didn’t go through so moving on.
what really helps in these engagements is finding more and more about the target, right here enumeration plays a vital role in our strategy. by running gobuster “an Enumeration tool for scanning for web directories” we find the following web directories >
Press enter or click to view image in full size
from this list we find an admin page which seems interesting
later on and after a bit of looking around, I found out as I mentioned before that the Drupal CMS version is 7 and there is an exploit that could be automated and used by metasploit that can be used to our advantage :
Press enter or click to view image in full size
the exploit exploits a Drupal property injection in the forms API, these versions are affected:
Get Cyb0rgBytes’s stories in your inbox
Join Medium for free to get updates from this writer.
Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.
and there we go, shell initiated.
since we got our initial foothold on the box lets move on to our next stage in our attack, which is privilege escalation, where in that process we reach root!
lets use an automation tool for our strategy, it’s called linpeas
lets first go to the /tmp directory :
and from our box host a python server so we can grab the script directly from our box.
Press enter or click to view image in full size
by scrolling around linpeas privilege escalation results we discovered a possible PE Vector, which is using “find” /usr/bin/find
by going to gtfobins.github.io we can find the right command to grant us the root shell we desire.
find . -exec /bin/sh \; -quit
Press enter or click to view image in full size
Thanks for reading until now, you’re a legend!
I’d like to thank everyone for reading my content, I work really hard on documenting these writeups so it would be highly appreciated if you star my stories if you like them, feel free to check the other stories they are superb!
also I want to mention that im enrolled in Medium’s Partner program recently, thanks everyone for the support and see you in the next one!