Network Enumeration
To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.
Web Enumeration
I tried to run gobuster and other directory enumeration tools but it wasn’t working.
Port 80
It is running a Drupal 7 CMS system.
Drupal 7 is a free and open-source content management system (CMS) that was released in 2011. It offers a flexible framework for building and managing websites, with a large and active community of developers and users contributing to its ongoing development and support.
From the nmap scan in the beginning we can view the robots.txt file.
robots.txt
We find the changelog.txt that usually showcases the version of Drupal.
/CHANGELOG.txt
Let’s use searchsploit to find an exploit.
Searchsploit
Reading the help file of the exploit we need to set a line to false as we are performing the exploit on a windows machine.
We might need to install additional dependencies for the scrip to work.
Initial shell
System enumeration
Privilege escalation
Let’s run the windows exploit suggester to find some potential exploits.
There are many exploits to choose, let’s try MS10-059.
MS10-059 is a security vulnerability in the Windows operating system that was discovered in 2010. The vulnerability allows an attacker to execute arbitrary code on a victim’s machine by exploiting a flaw in the way that the Windows kernel handles certain types of font files. The exploit can be used to gain remote access to a victim’s computer, steal data, or carry out other malicious actions.
Get the exploit in the site below and upload it to the victim machine.
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
Before running the exploit set up a netcat listener.
Admin shell is gained, we can get the flags in the user’s desktops.
Persecure : my learning archive 