2. We have SSH, HTTP, and RPC protocols. Well, that means I should think about possible credentials for SSH authentication, web application exploits or possible NFS share that can be accessed. I started with the web application.
6. Ok, so a quick google search for Drupal 7 exploits gave a lot of results. Enter Drupalgeddon2.
7. With Metasploit ready to aim and shoot, the only thing left is to exploit.
7. With Metasploit ready to aim and shoot, the only thing left is to exploit.
10. Ok, I hate this shell. Time to see if we can get a better one. Time to use the python trick hopefully. Again, learned this watching
IppSec channel (https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA). If you are not watching it, you should be.
11. With a better shell, we find another flag in the webroot directory. It is pointing us to look thru the config files which we should do anyway for settings and credentials. We see flag2 and mysql credentials.
13. We see the drupaldb database. Time to look through the tables. We have credentials in the users tables. Of course, I could not find a single password for these:
admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
14. Now, I went looking for any possible kernel escalation exploit for the Debian version and Linux kernel level. Nope. Time to look for “sticky” permissions.
15. Now, the find command seemed weird to have on this list. I even had to do a double check on my own executable. Yup, that’s weird. We can run “find” as root.
16. Looking good. I can see another flag too. Let’s google what else we can do with the find command.
17. Well I got the flag, but I am not sure I got all of them. Let’s start digging more. We have flag5, flag2, flag1.
18. Now, we have flag4. So where is flag3? I went back into mysql and only found this:
18. Now, we have flag4. So where is flag3? I went back into mysql and only found this:
I assume that it was in Drupal page somewhere. Just because I was curious, I looked at the shadow file and tried to check for passwords. I found the password for flag4, which was orange. (THE END).