While I sort through some issues with my hypervisor and some older boxes which won't run on it, I'm working on the newer releases on vulnhub.  I spotted billu: box 2 and I think I recall doing the first box by this author sometime ago.  I don't remember the original nor do I have any notes so I can't give you any information as to whether it's similar, harder, or if there's any relationship at all.  

I spent some time trying to work out a manual way of getting my low priv shell but eventually went with Metasploit.  But I'm getting ahead of myself --

Starting with an Nmap scan:






Checking out the web port:

Scanning with Nikto:





Let's check out the login page:






Now that we know it's Drupal, let's scan it with Droopescan:





Other than the version, not finding anything interesting but I think it's vulnerable to Drupalgeddon:





Let's see what we can do with this proof of concept:





Script looks good, let's fire it off:





No joy.  I'm not really sure what it's complaining about -- I'm just going to hard code our target:





With a little mod, let's fire it up once more:





Cool.  This time we have a successful execution, let's see if our file is on the server:





Excellent!  Now here's where I burned a few minutes.  It's possible to execute commands directly without echoing them into a file.  It's also possible to execute a bit more than just a smiley into the file.  That all said, I tried various methods for execution and uploading shells.  One way or another, something would get slightly off.  It is possible to substitute special characters like " for a single quote.  Nothing we pass goes through exactly like I'd want it so I got bored and moved to Metasploit.

Let's setup our options:





Looks good, let's run the exploit:






Excellent!  We have our low privilege shell, let's take a look around:






/etc/apasswd is world writable.  At first, I tried changing www-data to 0:0 but it never upgraded my account to root no matter how hard I tried.  I also noticed the hash was in the passwd file.  I tried cracking it but no joy.  Finally, I copied the passwd file, modified it with a known hash, then after making a backup of the original, I replaced the original.  

Now let's SSH into as indishell to see if that worked:





After logging in as indishell, I checked sudoers and once I learned indishell had All : All, I executed sudo su for root.

As a side note:  I played around with the Tomcat port and after getting root.  I opened up /etc/tomcat7/tomcat-users.xml -- there are some restrictions.  I ran out of time but I want to go back and see what's keeping me from getting into the manager app.  Too many boxes, not enough time.