, ,

Lampiao : 1



  • Run a full port scan to find for uncommon ports
  • Gobuster enumeration gives clues on framework name and version
  • Searchsploit drupal to find for exploits
  • Use metasploit to gain user access
  • Enumerate file to find for databases clues
  • Hash cracking takes time and find an alternate method to exploit
  • Use linux exploit (Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW)


Run nmap scan to find for open ports.

port 80
port 1898

Run a gobuster scan to find for hidden directories.

robots.txt has some clues.

In the profiles folder we can find the version number in one of the files.

Drupal version 7.54

Run a searchsploit on the Drupal version.

Start up metasploit

Search for the exploit , input the options and run.


A meterpreter session is gained.

Found a user.

Enumerating the folders , we can find some database credentials in /var/www/html/sites/default/settings.php

Use mysqldump to find a hash for tiago

mysqldump -u drupaluser -pVirgulino drupal users

Tried to crack the hash but it was going to take hours.

Privilege escalation

Let’s search for another method.

After some searching online, found an exploit here

Download the exploit , start a python server and pass the exploit to the machine via the /tmp folder.

Use the compiling instruction from the exploit db.

This exploit changes the root password.

ssh into the root terminal with the new password and the root flag is found.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: