Disassembly of ippsec’s youtube video HackTheBox - Bastard. Windows box without the use of Metasploit, a few different ways to enumerate the privesc. Managing cookies importing/exporting. Exploit modification/testing. Setting up Burp Suite to capture an exploits traffic and SMB file execution with impacket.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
nmap scan:
1 |
|
(output)
Port 80 - web-server IIS Port 135 - Windows RPC Port 49154 - Windows RPC
Based on the above ports we can guess that this is a Windows Server, not so obvious that this ins a Windows Server 2008 R2 because the IIS version is 7.5
google IIS versions
version 9 was skipped basically due to a potential lazy programmer
web-server
Drupal web-server, we can use a script called *droopescan*
Github Link: https://github.com/droope/droopescan
“droopescan” normally takes quite a bit of time (few thousand requests)
1 |
|
(results after 45min)
Note: there is another drupal scanner called “drupscan” but the downside is that it has not been updated.
default drupal files
/CHANGELOG.txt
is a default file on installations.
we can enumerate the version number as “7.54” published 2017.
google drupal exploits
the first post:
using an “unserialized()” can receive remote code execution. With in the exploit we can see that it is directly intended for version “7.54”
second, sign of confirmation was the date of the post being March 2017:
Searchsploit Drupal
1 |
|
7.X looks familar and might be the exploit just seen in the blog post.
View exploit:
1 |
|
This is the blog post exploit
Various ways to clone a copy of the exploit, personally I like the -m
which mirrors the exploit to the working directory but IppSec in this situation uses -p
to copy to clip board, paste into working directory and renames the files to drupal.php:
dissembling the exploit
it’s a PHP script which would be considered odd but since this is using a serialization() exploit it makes sense.
Uses 3 section:
- Use the SQL INjection to get the contents of the cache for the current endpoint along with the admin credentials and hash
- After the cache to allow us to write a file and o so
- Restore the cache
modify exploit
change the url:
change filename, which was originally a linux php which might have issues with the windows box:
create custom php webshell within exploit
adding a custom webshell as a new variable:
1 |
|
Check for code errors:
1 |
|
syntax error line 80
1 |
|
remove the “us.”
re-run
1 |
|
code executes correctly.
test php code interactive mode
1 |
|
paste the code and call the variable *$phpCode*
there is a mistake with the “</pre”;” is not closed off.
correct line:
Exploit against Web-Server
1 |
|
failed to login.
pipe to Burp to see process
simplest way to push this php script through burp change the bind port under options:
Request handling tab - redirect all request from 10.10.10.9 to port 80:
tick box for Proxy Listeners:
Navigate to 127.0.0.1:8090
Edit drupal.php
to reflect the new 127.0.0.1:8090
re-run exploit against webserver
make sure burp intercept is on:
change to intercept client (untick: Content type):
1 |
|
at this point we can analyze everything the server says back to us.
burp/modify exploit code directory
right off the bat there is two slashes in the beginning (requires fixing)
Response:
404 error Not Found - due to the double slashes
through multiple guessing “dumb luck” it was discovered that removing the slash and “endpoint” that a 200 Response occurs. If had not found that directory the next step would have been to preform a dirbuster scan or gobuster to find said directory:
(return)
final modified exploit
changed url to target, changed the endpoint path and ensured that there was no extra slash at the end of the url:
RCE
1 |
|
navigating to directory
file exists and now we can pass systems commands directly via the browser URL
1 |
|
we have remote code execution
investigating files from exploit
1 |
|
Could try cracking this password which looks like it the ID of the drupal user.
1 |
|
Import session cookies into firefox > Tools > Cookies Manager+ > Cookies Manager+
copy the “session_name”
paste in Add new cookie:
copy “session_id”
paste in Add new cookie:
save/close:
at this point if we refresh the page we will be sending the administrator cookie to the web-server
“Hello admin” in the top right corner.
Enumerating Windows
Firstly, view environment,
1 |
|
In this scenario the hotfixes are “N/A” meaning this version of windows has never been updated.
Looking at the OS Version: 6.1.7600 N/A Build 7600 indicates that there is no service pack installed.
What we know now: Microsoft Windows Server 2008 R2 Datacenter 6.7.7600 N/A Build 7600 (no service packs installed) “Maybe” no hotfixes installed
Second, look into Kernal privesc (keep in mind these exploits have the potential for BSoD) Run PowerUp.ps1
1 |
|
edit PowerUp.ps1 and add Invoke-AllChecks
at bottom:
Setup SimpleHTTPServer
1 |
|
Windows target download file:
1 |
|
Pipe to powershell
1 |
|
the piping is performed to get execution. (results after a bit of time)
we get an unquoted service denied which can be tested with
1 |
|
once we privesc we’ll run this command again and see if we can access.
In this situation as well we can not “Checking service executable and argument permissions” - Start/Stop a service (second check)
Unable to “Check service permissions…” - if we could overwrite the permissions of a server.
We have the ability to “potientally “takeover” DLL locations…”
which we would have the ability to take over Oracle files, meaning if we could restart oracle we could get code execution.
Check for if oracle is running
1 |
|
we see MySQL is running on port 3306, don’t see oracle which is normally like 1521 and this point we can skip this avenue.
Continue analyzing the PowerUp.ps1:
The rest of the report doesn’t lead to a way to escalation. Another script that is really liked is “Sherlock.ps1”
Copy Sherlock.ps1 to working directory:
Manage Unicode
1 |
|
Edit “Sherlock.ps1” to inlude “Find-AllVulns” at the bottom of the script.
upload “Sherlock.ps1” to target
1 |
|
Sherlock.ps1 Results:
all basically says is to migrate to a 64bit process.
windows nc for reverse-shell
Windows notoriously does not have the best way to setup a reverse shell as to if we download a copy of it to the box we could use it to aid in the reverse shell.
Netcat x86 (32-bit) & x64 Link: https://eternallybored.org/misc/netcat/
Extract and move to working directory and upload to target:
1 |
|
since the file is being upload we can execute it directly after that.
RUN
Reverse-Shell
setup listener
1 |
|
(response)
we have entered flavor country with a new shell in hand.
sherlock inside shell
1 |
|
(results)
now works correctly as our netcat file was an x64 application. In this situation it saying that the 15-051 is not vulnerable but that is not actually the case.
bit of cheating (ms exploits)
Having prior knowledge that the box is vulnerable to MS15-051
google MS15-051 proof of concept
download MS15-051-KB3045171.zip
and extract to local directory. Now if this was a real pentest you would download the source file inspect for backdoors and then compile locally before using it on the system.
Root&Loot
upload MS15-051 file to target:
1 |
|
NT AUTHORITY/SYSTEM
setup NT Authority/System shell
Listener:
1 |
|
Sending to another shell:
1 |
|
(return)
extra tips
If for any reason you do not see hotfixes you can go to the following directory and verify:
1 |
|
temporary location of WSUS updates
Windows update log:
1 |
|
will tell you when its installing patches.
Executing files off UNC shares - OSCP lateral movement (firewalls would generally prevent this )
(Simliar HTTPServer but for Samba)
Kali has a built in impacket-smbserver
which then you give it a share name and a directory you would want to share out:
1 |
|
rename ms15-051x64.exe
to privesc.exe
target connect to smb server
1 |
|
impacket see’s the incoming connection:
verifies that the target indeed interacted with the server.
Browser returns: NT AUTHORITY\SYSTEM
#HAILippsec
If you don’t know who ippsec is check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
Twitter: https://twitter.com/ippsec