Empezamos como siempre con NMAP

root@Kali2:~/Downloads# nmap -sC -sV 10.10.10.9
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-16 09:59 CEST
Nmap scan report for 10.10.10.9
Host is up (0.018s latency).
Not shown: 997 filtered ports
PORT  	STATE SERVICE VERSION
80/tcp	open  http	Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.94 seconds

Desde aqui ya podemos ver cosas interesantes como logins, changelogs, etc.

Podemos ver desde el scan y accediendo a la pantalla que es Drupal. Asi que usamos droopscan 

root@Kali2:~/Downloads# droopescan scan drupal -u 10.10.10.9
[+] Themes found:                                                          	 
	seven http://10.10.10.9/themes/seven/
	garland http://10.10.10.9/themes/garland/

[+] Possible interesting urls found:
	Default changelog file - http://10.10.10.9/CHANGELOG.txt
	Default admin - http://10.10.10.9/user/login

[+] Possible version(s):
	7.54

[+] Plugins found:
	ctools http://10.10.10.9/sites/all/modules/ctools/
    	http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
    	http://10.10.10.9/sites/all/modules/ctools/changelog.txt
    	http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
    	http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
    	http://10.10.10.9/sites/all/modules/ctools/API.txt
	libraries http://10.10.10.9/sites/all/modules/libraries/
    	http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
    	http://10.10.10.9/sites/all/modules/libraries/changelog.txt
    	http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
    	http://10.10.10.9/sites/all/modules/libraries/README.txt
    	http://10.10.10.9/sites/all/modules/libraries/readme.txt
    	http://10.10.10.9/sites/all/modules/libraries/README.TXT
    	http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
	services http://10.10.10.9/sites/all/modules/services/
    	http://10.10.10.9/sites/all/modules/services/README.txt
    	http://10.10.10.9/sites/all/modules/services/readme.txt
    	http://10.10.10.9/sites/all/modules/services/README.TXT
    	http://10.10.10.9/sites/all/modules/services/LICENSE.txt
	image http://10.10.10.9/modules/image/
	profile http://10.10.10.9/modules/profile/
	php http://10.10.10.9/modules/php/

[+] Scan finished (0:58:57.307825 elapsed)

You can use https://www.exploit-db.com/exploits/41564 to exploit it with endpoint path in /rest.
Solo que tiene dos errores en las lineas 16 y 71.

SI despues de eso no funciona, es porque CURL no esta instaldo en su kali. Intenten:

root@kali:~/Desktop# apt-get install php-curl
root@kali:~/Desktop# systemctl restart apache2

Despues de correrlo tendra dos archivos, un user y un session.

#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries

Si copian la información de session a una nueva cookie a session name como name y id como value y refrescan la pagina seran admins 🙂

https://redteamtutorials.com/2018/11/07/hack-the-box-bastard/

empire and sherlock