From nmap, there are http and msrpc opened

Local Picture

This is the web page. It is running Drupal 7.

Local Picture

In the CHANGELOG.txt, we know that it’s version 7.54.

Local Picture

In searchsploit, there is a RCE script for this version.

Local Picture

Local Picture

Local Picture

After executing the script, I got a webshell as iusr.

Local Picture

Create a reverse shell.

Local Picture

Local Picture

Upload Sherlock.ps1, and execute Find-AllVulns.

Local Picture

Local Picture

Local Picture

Pick one of the vulnerability and found its exploit in github. Use impacket to create smb share, and download the exploit from my server. Execute the exploit script for a reverse shell.

Local Picture

Local Picture

Finally, I got a reverse shell as administrator.

Local Picture