Open in app

Sign in

Write

Sign in

HackTheBox: Bastard

midist0xf
4 min readJan 24, 2021

ENUMERATION

Nmap tcp full scan

nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.9

The nmap output highlighted the presence of:

  • a web server on port 80: IIS 7.5 . From the title page the web server was running Drupal 7 . Default Drupal files are listed within http-robots.txt entry.
  • msrpc on port 135,49154: Microsoft Windows RPC .

Since the web server is using Drupal I used droopescan to enumerate it.

droopescan scan drupal -u http://10.10.10.9 -t 32

The Drupal version was 7.54 .

Another possible way to enumerate the version was browsing to /CHANGELOG.txt .

EXPLOITATION

searchsploit results for drupal 7.5 were interesting. A lot of RCE exploits are available for this cms. I already used drupalgeddon in the past (with msf) so, since I’m avoiding metasploit use, the first call was for the stand-alone ruby version.

I decided to download the exploit from the github repo that I found searching for:

drupal 7.54 exploit github

  1. drupalgeddon2 (CVE-2018–7600)

The exploit allows an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

dreadlocked/Drupalgeddon2

Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002) - dreadlocked/Drupalgeddon2

github.com

The vulnerability is well explained here:

In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.

highline module was missing.

After installing highline the exploits worked well directly dropping a shell.

Anyway the shell was limited. For example I couldn’t cd in other directories.

The next step was to obtain an nc reverse shell.

The reverse shell was running as nt authority\iusr

which had enough permissions to read user.txt .

PRIVILEGE ESCALATION

systeminfo indicated that the system wasn’t patched.

In Devel we already used ms11-046.exe with6.1.7600 Build 7600 version. Then I tried it first. It was a bust because the exploit was for 32 bit OS versions.

Users’s privileges suggested to use JuicyPotato .

This machine was perfect to put in practice what we’ve mentioned in Devel write-up: default CLSID don’t work every time so you should try different ones in that situation.

I took the first one from the Windows Server 2008 R2 Enterprise list.

With this new CLSID the exploit worked perfectly…

…and we were able to get root.txt.txt .

EXTRA

MS15–051

Another way to privesc was exploiting MS15–051 .

ms15–051x64.exe whoami​

Hacking
Penetration Testing
Oscp
Information Security
Hackthebox

--

--

midist0xf

Written by midist0xf

12 Followers

Wannabe Pentester

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams