Today we’re going to solve another CTF machine “Bastard”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Windows
  • Services: HTTP, msrpc, unkown
  • IP Address: 10.10.10.9
  • Difficulty: Medium

Weakness

  • Exploit-DB 41564
  • MS15-051

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerate Drupal

Drupal is running on http and nmap gave us some information we need to check.

Before everything we have to check which version of drupal is install. We need to check CHANGLOG.txt to find more details.

In that case we have Drupal 7.54 installed let’s searchsploit.

The exploit which we’re gonna use is “Drupal 7.x Module Services – Remote Code Execution” 

We need to modify our exploit. The exploit needs rest api path which we found in our directory enumeration so we set our endpoint path to /rest.

By running this exploit we got two files user.json and session.json.

There’s two ways to get reverse shell.

Reverse Shell Using Drupal

We can use sessions.txt data to login as administrator which we got through running exploit.

sessions.txt

Now let’s go to http://10.10.10.9/admin

We have to modify the cookie in this format.

Once you have access to administration panel go to Modules and enable PHP filter so we can get reverse shell.

You can get user.txt file from C:\Users\dimitris\Desktop directory.

Privilege Escalation

Now we have user access we have to use exploit suggester module in order to obtain more information regarding the box.

We have a user session via php shell let’s switch to actual reverse shell.

Now simply upload and run shell.exe

Now we got a proper reverse shell.

By using exploit suggester we got few exploits which i tested and one of them worked.

And we are NT Authority.

We can obtain root.txt from here: C:\Users\Administrator\Desktop\root.txt