Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…


Starting of with a port scan.

Looks like a a drupal site and a fully stuffed robots.txt file. Also some RPC on a ephemeral port.

It runs probably on a windows server 2008 R2.
Let’s start with a scan of drupal.

The version of Drupal is 7.54 so let’s check searchsploit for possible exploits.

No direct exploit for version 7.54 but several for either 7.x or 7.58 and higher. The higher ones are with ruby scripts and the 7.x with a php script. Lets go for that one first.

After looking inside the script it looks like this exploit was written for version 7.54 after all (but probably can work with different versions 7).
I’ll change the url and the payload (just because I prefer a reverse shell). For this one I use the pentestmonkey reverse php script and modify it a bit to work with windows.
Then I’ll adjust the php script.

When running the script I get a lot off errors:

After looking at the script again it looks like there a numerous break-lines at some comments which will give these errors.

Again…an error. This time it’s because I don’t have php-curl installed.

After installing the correct package the php script runs but stops at a password fail. But why? Normally when you execute php in your browser you can intercept it with a proxy like burp.
But now I want to intercept the traffic that is been generated from the cli. For that I’m going to create a proxy and run everything through it. For this I use burp.

With these settings Burp is set up to intercept all traffic that is run through the tunnel. Now to change the url inside the php script so it runs everything through Burp.

When looking at the header I see that the uri is different then from the dirsearch scan in the beginning. It’s not ‘rest_endpoint’, but just ‘rest’. Adjusting the script and changing back the IP address.

Looks like the script ran just fine now.

Even with the adjustments, it looks like the shell is just not working properly. It runs the cmd command, but there is no response from any command. Let’s try that again with another command: systeminfo:

I got systeminfo and whoami, but again no further interaction. The shell just freezes up. I can repeat the same process over and over again to get the flag, but that’s really gonna work on my nerves. So I need to find another way in.
Because I’ve tried it with different msfvenom payloads as well as other php payloads from the internet and getting the same result…..I looked up some other ways to exploit the vulnerability and one way was given by IppSec.

This piece of php is added to the php exploit script and will give 2 parameters which will have an upload function and a browse function on the remote machine.

And it works. Nice. Let’s see if this way is more stable.
So atm I have a stable way of enumerating this machine, but unfortunately I still have a low privileged account. Let’s grab the systeminfo and run it through windows-exploit-suggester.

Some possible exploits. When searching the internet for some useful scripts, there is a site which lists scripts you can use for windows kernel exploits and there is one I didn’t know.
A powershell script called Sherlock from rasta-mouse. So let’s try that one also.

This script looks for newer vulnerabilities and it looks like there a three possibilities. The MS10-092, MS15-051 and MS16-032 are possibly vulnerable. The first one exploits the Task Scheduler 2.0 XML 0day which was exploited by Stuxnet. The third one uses a race condition which can be a hassle. And the second one exploits improper object handling in the win32k.sys kernel mode driver. This one has been tested on vulnerable builds of Windows 7 x64 and x86, AND Windows 2008 R2 SP1 x64. So I’ll go for this last one because I know the build of this machine matches this exploit perfectly.

After upload I run the file.

Now to get the flags.

That’s one.

And that’s two.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.