ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.9
The nmap output highlighted the presence of:
- a web server on port 80:
IIS 7.5
. From the title page the web server was runningDrupal 7
. Default Drupal files are listed withinhttp-robots.txt
entry. msrpc
on port 135,49154:Microsoft Windows RPC
.
Since the web server is using Drupal
I used droopescan
to enumerate it.
droopescan scan drupal -u http://10.10.10.9 -t 32
The Drupal version was 7.54
.
Another possible way to enumerate the version was browsing to /CHANGELOG.txt
.
EXPLOITATION
searchsploit
results for drupal 7.5
were interesting. A lot of RCE exploits are available for this cms. I already used drupalgeddon
in the past (with msf
) so, since I’m avoiding metasploit
use, the first call was for the stand-alone ruby
version.
I decided to download the exploit from the github repo that I found searching for:
drupal 7.54 exploit github
- drupalgeddon2 (CVE-2018–7600)
The exploit allows an unauthenticated attacker to perform remote code execution on default or common Drupal installations.
The vulnerability is well explained here:
In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.
highline
module was missing.
After installing highline
the exploits worked well directly dropping a shell.
Anyway the shell was limited. For example I couldn’t cd
in other directories.
The next step was to obtain an nc
reverse shell.
The reverse shell was running as nt authority\iusr
which had enough permissions to read user.txt
.
PRIVILEGE ESCALATION
systeminfo
indicated that the system wasn’t patched.
In Devel we already used ms11-046.exe
with6.1.7600 Build 7600
version. Then I tried it first. It was a bust because the exploit was for 32
bit OS versions.
Users’s privileges suggested to use JuicyPotato
.
This machine was perfect to put in practice what we’ve mentioned in Devel write-up: default CLSID don’t work every time so you should try different ones in that situation.
I took the first one from the Windows Server 2008 R2 Enterprise
list.
With this new CLSID the exploit worked perfectly…
…and we were able to get root.txt.txt
.
EXTRA
MS15–051
Another way to privesc was exploiting MS15–051
.
ms15–051x64.exe whoami