This box was a medium level linux box on HTB created by ch4p, it started with finding a exploit for the drupal 7.54 running on the Microsoft IIS http server at port 80, the exploit gave us a shell as iusr who had perms to read user flag from dimitris user account. We got shell as nt authority\system by using MS15-051 exploit.
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Microsoft IIS http 7.5 server hosting a drupal cms, aight let’s start enumerating the webserver as well as run an all port scan.
Enumerating the web server
Drupal default page, time to enumerate more using droopescan. it gave us the exact drupal version 7.5. Now we can use searchsploit to find exploits for the specific version.
Trying exploit php/webapps/44449.rb. First issue I faced when was \r symbols in exploit script, but it can be easily fixed using dos2unix 44449.rb, another error I faced was /usr/lib/ruby/2.7.0/rubygems/core_ext/kernel_require.rb:92:in 'require': cannot load such file -- highline/import (LoadError), simply googling the error lead me to this issue and so I fixed it with sudo gem install highline.
Finally time to run the exploit.
Yes, Got a shell as nt authority\iusr.
Although I have a RCE on the box, it’s not a proper shell(as we can’t exit drupal directory). So I am using netcat to get a reverse shell. First I hosted nc.exe using a smb server then ran nc.exe on the remote box to get a reverse shell.
Rooting the box
In post enumeration, running Sherlock to find any privilege escalation exploit.
MS15-051 looks intresting. I did tried MS16-32 but it didn’t worked.
Got the exploit from this github repo this zip archive had the compiled exploit. Copied the x64 exploit to windows box using smb server and later used the exploit to get shell as nt authority\system.
Here is the POC of exploit usage.
Now we can read that root flag.
Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.