Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 01:03 EDT
Nmap scan report for 10.10.10.233
Host is up (0.13s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.64 seconds
We can see that port 80 is open
From the robots.txt, we can navigate to /CHANGELOG.txt
We can see that it is using drupal 7.56, further research we can use metasploit drupal Drupalgeddon 2 Forms API Property Injection to exploit the webapps.
After that we will get a reverse shell from the metasploit
Then, we need to find some valuable information.
At last, at this folder, we can cat out the settings.php
We can see here is the database login password, lets login through mysql.
We can see there is a password hash of the user brucetherealadmin, we then can pass it to john and crack the password.
We can now SSH to the user brucetherealadmin.
Privilege Escalation
We can see the snap can execute with sudo and can install anything.
After some tries, we realized that the snap only can install local snap packages
What we can do is to go to here and get the TROJAN SNAP code
Then, we can use python to write the code to a file
