- Run a full port scan to find for uncommon ports
- Gobuster enumeration gives clues on framework name and version
- Searchsploit drupal to find for exploits
- Use metasploit to gain user access
- Enumerate file to find for databases clues
- Hash cracking takes time and find an alternate method to exploit
- Use linux exploit (Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW)
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
robots.txt has some clues.
In the profiles folder we can find the version number in one of the files.
Run a searchsploit on the Drupal version.
Start up metasploit
A meterpreter session is gained.
Found a user.
Enumerating the folders , we can find some database credentials in /var/www/html/sites/default/settings.php
Use mysqldump to find a hash for tiago
mysqldump -u drupaluser -pVirgulino drupal users
Tried to crack the hash but it was going to take hours.
Let’s search for another method.
After some searching online, found an exploit here
Download the exploit , start a python server and pass the exploit to the machine via the /tmp folder.
This exploit changes the root password.
ssh into the root terminal with the new password and the root flag is found.
Leave a Reply