root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

First enumeration with nmap

# Nmap 7.93 scan initiated Tue May 16 23:11:48 2023 as: nmap -sC -sV -T4 -oN normal.txt -p 80,135 -Pn 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.15s latency).

PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Welcome to Bastard | Bastard
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-generator: Drupal 7 (http://drupal.org)
135/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/

cool we know what ports and services are running.

image

noticed a web server running on port 80, opening it on a browser we can see it is running a drupal cms. let’s check for exploit online.

image

found an RCE exloit on github… exploit. cloned the repo, let’s run the exploit:

image

cool we got RCE, let’s pop a reverse shell. fire up ncat listener

image

running a powershell base64 reverse shell payload, check our ncat listener.

image

Boom got a reverse shell.

Privilege Escalation

image

first check systeminfo, copy the output of systeminfo into a file and save it

image

ran windows-exploit-suggester found here. we can see so many kernel exploit we can use. let’s use MS10-059. which you can find windows-exploit.

image

Download the exe file, and send to the target.

image

ran the exploit and boom got a reverse shell as nt authority\system