This is a walkthrough for the VulnCMS:1 vulnhub machine. If you are looking for OSCP-like vulnhub boxes to practice with then look no further. Really if you want to prepare for the OSCP then you should consider subscribing to the Ethical Hacking Guru Academy.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
Here’s What You Need
- Kali Linux VM
- VulnCMS:1 VM
Setup
To download drupwn:
To download droopescan:
Initial Enumeration
Once you have the VM installed in VirtualBox it’s time to go, link to the machine: https://www.vulnhub.com/entry/vulncms-1,710/. A few things to do for an initial enumeration, which judging by the name of the box “CMS” is web-dominant. No surprise there!
It’s smart to try a few things here, one for WordPress try this command to enumerate any low hanging fruit
Drupal Enumeration
You may have noticed that Drupal is also running, it turns out there are multiple CMS apps running on the box. Give this command a try in order to enumerate Drupal
Notice how an accurate version is detected when using the exploit mode.
You can also do a Joomla enumeration if you want, use this
The one tool that returns an accurate version info for the CMS is droopescan. To scan
Exploit Drupal
To exploit Drupal we will use https://github.com/pimps/CVE-2018-7600. Use this command to kick off the exploit
Now that we proved remote code execution works let’s change that into a reverse shell oneliner. Use this command to generate base64-encoded reverse shell code
Why is the payload base64-encoded? This code snippet in the exploit explains why it has to be this way. And then I added a pipe output into a bash process.
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
The full new command to use for expliot is
I am going to echo this same oneliner into a new bash process on the target.
Now start a reverse shell listener using netcat like so
Linux Privilege Escalation
Now that you have a shell on the target move to the /opt directory to find a hidden credential. Now remember how there is a running web app? We can use that username and password to login.
The default adminsitrator page is found at /adminstrator and you can use these creds to login. Then thes user manager module
Upgrade to Elliot
From here use
Escape Restricted Bash and Found User Flag
The path to root is to escape restricted bash first. This is easy using
Looking in /home/elliot/user.txt there is a user flag to be found, 9046628504775551.
Change To Tyrell
Now since this a CMS themed box there must be configuration files, this is true as we can already say we found some credentials earlier in some. There is another one in the misc directory.
An easier way to do this is to ssh to the target using the creds.
Abuse journalctl To Get Root
https://gtfobins.github.io/gtfobins/journalctl/
The way to root is to run
Recommended Reading
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.