search
Read BlogpostsLet's Connect

Bastard

hashtag
Summary

  • Only a few ports open: IIS on port 80 and MSRPC services on 135 and 49154.

  • Detected Drupal 7.54 running on the webserver, confirmed with droopescan.

  • Exploited Drupal REST API file upload vulnerability (CVE-2017-6347 via exploit-db 41564arrow-up-right).

  • Gained a web shell by chaining file upload and remote execution logic into one payload.

  • Delivered nc64.exe via HTTP and got reverse shell.

  • Privilege escalation achieved using JuicyPotato with known CLSID for local privilege escalation.

hashtag
Enumeration

sudo nmap -sV -p- 10.10.10.9 -oA bastardNmap -T 5

Nmap Output:

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC

  • Navigating to http://10.10.10.9/ revealed a default Drupal 7 site.

  • Discovered potential user IDs (0, 1, and 5) via enumeration.

Droopescan Output

  • Confirmed version: Drupal 7.54

  • Detected modules: ctools, libraries, services

  • Exposed /CHANGELOG.txt, /user/login

hashtag
Initial Foothold

  1. Used Exploit-DB 41564arrow-up-right, a Drupal REST API RCE, to upload a PHP web shell.

  2. Modified exploit’s $file and $phpCode to:

    • Validate upload via test payload (echo "Dhawan was here!")

    • Then swapped in the full reverse shell controller:

  1. Used this controller to upload nc64.exe and execute it:

  • Reverse shell established! 👏

hashtag
Privilege Escalation

Tried multiple methods (GodPotato, PrintSpoofer, post-exploit suggester), none worked.

Finally used JuicyPotato exploit with correct CLSID:

  • Reverse shell on port 555 gave SYSTEM access.

PreviousSaunaNextArctic

Last updated