This is a walkthrough of a vulnhub machine.
Let’s start this
Starting from arp-scanning for finding the IP addresses on the network. Command:-
After finding the IP address, I started NMAP (a Powerfull Network Mapping Tool).
`Command:- nmap -sC -sV <ip>` `-sC: Run Nmap Common Scripts` `-sV: For determining the service Versions.`
Here are the NMAP results.
Starting from 80 port, I saw Drupal was using. And it was Drupal 7.
After searching vulnerability through searchsploit. I come to know that it was Vulnerable.
It was vulnerale to Drupalgeddon Exploit. I checked it if its present in Metasploit.
And yes. So I quickly use that exploit, and run that.
Now, we got a shell, after seeing the user id by
getuid it was a normal user.
So, my next target was to escalate my privileges to root. I checked if the kernel is vulnerable by
uname -a but it was not.
So I move to the second way, I checked to what programs are have SETUID permission set.
Setuid is a special file permission in unix/Linux, which permits the user to run that program with higher privileges.
`Command:- find / -perm -u=s 2>/dev/null` `-perm is for permission` `-u=s means it defines if the file owner have setuid big set.` `2>/dev/null will throwout any error to /dev/null.`
So this outputs all the programs which uses SETUID permission as you can see below.
There are many programs which have SETUID permissions. Now How do we find our program which makes us privileged?
Basically you need to find those programs which can allow you to escape to the shell OR in other words they have interactive mode.
So in find utility -i allow us to escape to the shell.
Command: find /home -exec /bin/sh -i \;
Now this find command will exec /bin/sh shell in root mode, hence we have the root privileges into the shell.
And yes!. We got a root shell :)
That’s it. Thanks for your time for reading this.
Have a good day. :)