Plan A
1. discover http on 80 with drupal 7
2. Metasploit, search for drupal, find unix/webapp/drupal_drupalgeddon2
3. Set options, exploit and we have Meterpreter shell
5. Find flags in the default dir you’re dumped into and /home, submit for points.
6. $find / -perm -4000 2> /dev/null = Discovered that /usr/bin/find had a suid bit set so, escalate with that.
7. find /etc/passwd -exec /bin/sh \; and kaboom! Root!
8. Cat /root/proof.txt for 2nd flag.
Plan B:
1. discover http on 80 with drupal 7
2. Find drupalgeddon2 on github, fire it off and boom! Basic shell. Find flag in entry directory point.
3. Priv Escalation $find / -perm -4000 2> /dev/null = found /usr/bin/find with suid bit set.
4. $find /etc/passwd -exec /bin/sh \; for root
5. Cat /root/proof.txt for 2nd flag.
Always never forget to try different options to get basic shell,
Priv escalate from there.
G