InfoSec LAB

Armageddon_Web

Created: 2 min read

Web

Nmap discovered a web server on the target port 80 The running service is Apache httpd 2.4.6 and it’s hosting a Drupal instance

Webroot It is indeed hosted by Drupal The earlier Nmap scan revealed that it’s Drupal 7

droopescan

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ droopescan scan drupal -u http://$IP/
[+] Plugins found:                                                              
    profile http://10.10.10.233/modules/profile/
    php http://10.10.10.233/modules/php/
    image http://10.10.10.233/modules/image/
 
[+] Themes found:
    seven http://10.10.10.233/themes/seven/
    garland http://10.10.10.233/themes/garland/
 
[+] Possible version(s):
    7.56
 
[+] Possible interesting urls found:
    Default changelog file - http://10.10.10.233/CHANGELOG.txt
 
[+] Scan finished (0:02:05.142478 elapsed)

droopescan identified the possible version 7.56

Vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ searchsploit Drupal 7.56                      
------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                        |  Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                              | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                              | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                           | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                   | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)               | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)               | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                      | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                        | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                    | php/webapps/46459.py
------------------------------------------------------------------------------------------------------ ---------------------------------
shellcodes: No Results
papers: No Results

Drupal 7.56 has a series of critical vulnerabilities While the Drupalgeddon3 exploit requires authentication, the Drupalgeddon2 exploit doesn’t

the drupalgeddon2 exploit targets [[armageddon_cve-2018-7600#cve-2018-7600|CVE-2018-7600]]

Moving on to Exploitation phase.

Interactive Graph View

Backlinks