Post

HackTheBox_Bastard w/o Metasploit

Posted Updated
By Muqaram Majid
2 min read

HTB - Bastard

Image

Enumeration

Nmap Scan Results

Image

Homepage

Image

Changelog.txt

Default Drupal file

Image

For some reason, DirBuster and Gobuster both seem to be acting up with this box. Let’s try DirSearch as a final resort.

Vulnerabilities

Drupal Vulnerabilities

For Drupal 7.54, we have the following vulnerabilities available

Image

We could go with Drupalgeddon2, but it was released on April 13, 2018, which is much later than the box’s release date of March 18, 2017.

So let’s try looking for an exploit before or nearer to that date.

Had to search just for Drupal this time for a wider list

Image

This is probably the intended exploit, so let’s use this.

Date: 2017-03-09

Exploitation

Script Changes

Let’s make the following changes to the exploit.

Note: Make sure to do sudo apt install php-curl before running the script.

Image

Image

That’s strange. Oh, I forgot to change the REST endpoint as well. Gobuster gave us the /rest directory earlier, and on visiting it, we seem to have activated the endpoint.

Let’s modify the script now.

Image

Image

Image

Image

Reverse Shell

We got our file muq.php uploaded. Now let’s try for a reverse shell.

Image

Image

Now time to run the nc

Image

And we are in.

Image

System Information

System Info

So systeminfo gives us this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84461
Original Install Date: 18/3/2017, 7:04:46
System Boot Time: 11/8/2024, 6:06:34
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.594 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.621 MB
Virtual Memory: In Use: 474 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9

Exploit Suggestion

Let’s use this with our Windows exploit suggester and see if we find something useful.

Image

Exploit Usage

Let’s try using this exploit.

Image

We will get this on our machine with a Python server and use it to get us a reverse shell.

Image

Image

And now we grab our flags.

Root Flag

Image

User Flag

Image

hackthebox, CTF, writeups
ctf hackthebox writeup windows medium
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.