In this day, we will learn how to have full control of a web server that is using drupal to host any service.
According Wikipedia, Drupal is a free and open-source content management framework written in PHP.
Drupal provides a back-end framework for at least 2.3% of all web sites worldwide ranging from personal blogs to corporate, political, and government sites. Fuente Wikipedia
In other words, in the course of learning hacking it is very likely that we will find a web server that is hosting a drupal site and we need to get access to it.
Before starting I want to clarify that all my published content is done for educational, informative and ethical purposes.
I am not responsible for the misuse they may give you.
With this tutorial you will learn:
How to enumerate the drupal CMS and a Windows machine
How to intercept requests with burpsuite.
How to perform a simple port scan with Nmap.
How to get a meterpreter session with Metasploit.
How to perform a directory discovery with dirb.
How to perform an exploit search with Searchsploit.
How to use Sherlock.ps1 and Powershell Empire (PowerUp.ps1)
How to hijack a session using a cookie with BurpSuite
How to hijack a session using a cookie with Google Chrome
How to manipulate PHP-based exploits
How to get a Reverse Shell with Netcat
To carry out this demonstration, we will perform a penetration test on a vulnerable machine called Bastard published on the HackTheBox platform.
In any process to hack or have total control over a server in an unauthorized manner must start with a system enumeration.
For this we will perform a simple scan with Nmap, in the following way.
Before proceeding, we can realize that we have already identified that the system is running Drupal with version 7.
With the previous port scan we did with Nmap, we managed to identify port 80 open.
If we open this web page in a browser we can see this is in fact a drupal instance.
We are going to perform a directory discovery with DIRB to see if we find something interesting:
The Drupal version can be enumerated by browsing to 10.10.10.9/CHANGELOG.txt
We are going to use a very useful tool to search exploits of known vulnerabilities in information systems, this we will achieve with searchsploit.
Our search yields several results, among them we managed to identify an exploit that when used successfully an attacker can execute remote code on the victim.
I won’t go in depth on how this exploit works, but the cliff-notes are that it attacks a REST endpoint created by the services extension. To exploit we just need to find out the name of the REST endpoint. Honestly, exploiting this is simply a case of reading the exploit and the attached write-up.
We need to manually edit this exploit which is written in PHP.
First install php-curl and we copy the exploit to our route.
There are about 3 lines that need to be corrected before you can run the script.
You will see that there is comment sign missing (#). You will have to enter the IP (host) as change the endpoint_path to “/rest” as well. If you are asking yourself what this /rest or endpoint_path does, you should read the exploit explanation in the following link. DIRB has found many subfolders and /Rest was one of them and is fitting into the scheme.
The script of PHP should look like this:
After the execution of the exploit, we are exported the following files:
The sessions.json file will help us to perform Session Hijacking.
To run Remote Code Execution from our webshell we just need to add the parameter ?cmd= and the command we want to run.
Ready friends, we can now execute commands on the server.
With the command “systeminfo” we analyze which operating system is running on the machine and in which version it is.
With the information obtained we can perform a search to find an attack vector that gives us a privilege scaling in the system.
To validate in a faster and automated way, we will perform an analysis of local vulnerabilities to scale privileges with a script powershell.
Sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. Article Complete
How to steal a session from a Cookie with Burpsuite
In the following image, you can see that I do not have access to the route http://10.10.10.9/admin
Next, we will intercept the previous request with burpsuite.
We managed to identify that in sending the request, there is a cookie with the value of hah_js=1, what we must do is manipulate this value and assign the values that the exploit previously exported.
The session file is in format:
The structure of the cookie must go as follows: abc=def;token=xyz
How to steal a session from a Cookie with Google Chrome
Another way to perform the previously indicated process is using the Google Chrome console.
Press F12, then click on console and define the cookie: document.cookie = “Session_name=Session_id;token=Token”
How to use Powershell Empire
PowerShell Empire is a post-exploitation framework for computers and servers running Microsoft Windows, Windows Server operating systems, or both. Article Complete
We execute the following command to clone the repository:
Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.
PowerUp.ps1 was made to run inside of empire so we need to add at the botom of the file “Invoke-AllChecks” and save.
In order to upload the script to our victim, I will mount an HTTP server that hosts the script in powershell; later from the victim machine I will download the file making a GET request to the route where we specify.
We go to the folder that contains our powershell script and execute the following to mount an HTTP server with Python.
Then, through PowerShell, we downloaded the file into our victim computer.
After making the request through the previous URL, in our attacking machine we will receive in real time the request by the GET method to the PowerUp.ps1 file.
After a couple of min we can see the results from the powerup.ps1.
Looking at the results we can see access denied which tells us that we don’t have admin rights.
How to use Sherlock
Sherlock, PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Let’s try finding a vulnerability using sherlock.ps1
Just like before we need to edit the end of the file this time with Find-AllVulns.
We can copy and execute sherlock the same way that we did powerup.
We downloaded our Sherlock.ps1 by accessing the following URL:
The result is as follows:
Before we do our privledge elevation we need a remote shell we can do this with netcat.
Reverse Shell Netcat
Initially, we downloaded the netcat executable for the 64-bit architecture.
Unzip the netcat files so we can upload and run them.
Setup our netcat listener.
We place our nc64.exe in the folder where our HTTP server is running.
Next, I’m going to alter the initial code of the exploit a bit.
In this way, the next steps will be easier:
We finally downloaded our executable by accessing the following URL:
Ok, we have already managed to have a reverse shell:
Among the results thrown by the Sherlock.ps1, we will focus on the following:
To try to exploit this vulnerability, we can download the compiled exploit from the following route:
After unzipping the downloaded file, we copy our executable to our folder where we have our HTTP server.
Now we just need to open a new listener with nc and access the following route:
Link to download the exploit and perform the execution of netcat with the exploit.
Ready, we have successfully escalated privileges.
To finish, I’m going to do this same demonstration but using another method, which is to do the whole process above but with the Metasploit Framework.
We must generate a payload with msfvenom and then download it from our victim machine.
About the author:
Ethical Hacker - FullStack Developer
Cybersecurity Consultant and also creator of the content published in this blog.