search

🟒Armageddon

hashtag
Recon & Enum

hashtag
port scan

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

hashtag
directory scan

/.html                (Status: 403) [Size: 207]
/index.php            (Status: 200) [Size: 7440]
/misc                 (Status: 301) [Size: 233] [--> http://10.10.10.233/misc/]
/themes               (Status: 301) [Size: 235] [--> http://10.10.10.233/themes/]
/modules              (Status: 301) [Size: 236] [--> http://10.10.10.233/modules/]
/scripts              (Status: 301) [Size: 236] [--> http://10.10.10.233/scripts/]
/sites                (Status: 301) [Size: 234] [--> http://10.10.10.233/sites/]
/includes             (Status: 301) [Size: 237] [--> http://10.10.10.233/includes/]
/install.php          (Status: 200) [Size: 3172]
/profiles             (Status: 301) [Size: 237] [--> http://10.10.10.233/profiles/]
/update.php           (Status: 403) [Size: 4057]
/README.txt           (Status: 200) [Size: 5382]
/robots.txt           (Status: 200) [Size: 2189]
/cron.php             (Status: 403) [Size: 7388]
/INSTALL.txt          (Status: 200) [Size: 17995]
/LICENSE.txt          (Status: 200) [Size: 18092]
/CHANGELOG.txt        (Status: 200) [Size: 111613]
/xmlrpc.php           (Status: 200) [Size: 42]
/COPYRIGHT.txt        (Status: 200) [Size: 1481]
/.html                (Status: 403) [Size: 207]
/UPGRADE.txt          (Status: 200) [Size: 10123]
/authorize.php        (Status: 403) [Size: 2824]

hashtag
website

their is login page running on , after enumerating in burp i found that the webiste is php based and using drupal for authentication

hashtag
http://10.10.10.233/CHANELOG.TXT

I found the exact version number of drupal

hashtag
shell as apache

hashtag
searchsploit

their are lots of payload on it

but this matches according to our needs :- version no. Unauthenticated non-metasploitable public exploit on github

hashtag
CVE 2018 - 7600

LogoGitHub - dreadlocked/Drupalgeddon2: Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)GitHubchevron-right

this will give us shell as apache , and provide a link "http://10.10.10.233/shell.php" with parameter "c" through which we can do RCE lets get a reverse shell first ..... double-encode the payload while injecting NOTE :- we get this shell /sbin/nologin , so their are lots of things we can not perform like :- cd , bash , python , nc , wget ..... etc , and for some other things it gives Permission Denied

hashtag
privesc apache => brucetherealadmin

we can do enough here , in order to escalate our privilages i need some kind of credentials , because most of the commands are not working and i even can't transfer scripts to victim like linpeas or etc....... After doing google , i get to know where are default credentials of database are stored :- "/sites/default/setting.php"

we got database (drupal) credentials , "drupaluser" & "CQHEy@9M*m23gBVj" before run mysql commands , we don't have ptty shell , so we have to direct execute the sql query in single go , so that terminal didn't stuck , as it stuck without that

we got hash for user "brucetherealadmin" , lets save it in file , then find hash type then crack it

i tried switching user but didn't work , so i tried ssh and got the shell as brucetherealadmin

hashtag
privesc brucetherealadmin => root

hashtag
sudo -l

found a binary that i can run as root :-

i immediately gone to GTFObins , and found this

Logosnap | GTFOBinsgtfobins.github.iochevron-right

this says , this binary can't do anything on its own , Basically its a package manager to install packages just like apt , but we can creat a malicious package , and then try to install it

hashtag
creating malicious package

first i just try to read the root.txt, so create the package in attacker machine then transfer it to victim and then use snap to install it

we got , root.txt , but not shell

PrevioussolidstateNextpaper

Last updated