Bastard Hackthebox walkthrough
Today I will share with you another writeup for hackthebox machine. The selected machine is Bastard and its IP is 10.10.10.9
In this article you well learn the following:
- Scanning targets using nmap.
- Detecting Drupal CMS version.
- Searching for exploits using searchsploit.
- Configuring and updating the exploit.
- Exploiting the vulnerability.
- Moving files to the target machine using SMBSERVER and Apache
- Getting nc reverse shell.
- Searching for privilege escalation vulnerabilities using sherlock.ps1 script.
After scanning the opening ports & running services, I found that it has three open ports (80 HTTP, 135 & 49154 msrpc). So, I start by enumerating port 80. As you can see from nmap scan there exists robots.txt file and this website was built using Drupal CMS (version 7).
One of the important files in Drupal CMS is CHANGELOG.txt, it contains information about the exact release version for the Drupal CMS. Once I browse it, I found that the version for Drupal is 7.54.
Searching for Drupal version 7 exploits, I found that there are many available exploits. When I tried to use Drupalgeddon2 the exploit failed. On the other hand, Drupalgeddon3 needs a session for a valid user to run the exploit. So, I tried the exploit for Drupal 7.x Module Services.
I opened and updated it with the target information and once I run it I got error message because I don’t have php-curl package installed on my Kali Linux VM. So, I installed it.
Again, it failed to exploit when I tried to execute it. The error happened because the variable “$endpoint_path” is not correct. So, I used the dirbuster to search for the directories on the server and I found that there is a directory “/rest” on it. By configuring the exploit again and running it I succeeded 😀
By browsing the webshell, I can run OS commands in the back-end server.
So. I want to get a reverse shell using nc. Since windows OS don’t have nc installed, I run the smbserver on my Kali Linux machine and configure it to share the directory in which the nc.exe file located.
After that, I copied the nc.exe to the back-end server and I run it to connect back to my Kali Linux Vm & I succeeded.
Once I got a reverse shell, I can read the user.txt but I don’t have permission to read the root.txt file. So, I have to escalate my privileges to administrator privilege. To do that, I tried to get the windows information using systeminfo command, this OS doesn’t has any installed security patch.
I tried many tools like windows-exploit-suggester which reads the content of systeminfo command and gives us a recommendations about the kernel exploits we can apply, but no one of the suggested exploit succeeded.
So, I tried another powershell tool called sherlock. I downloaded it on my Kali Linux VM, then move it to my Apache server home directory and start my Apache server. (note: I updated the sherlock.ps1 by adding “Find-AllVulns” at the end of the file, which used to execute the method that tries to detect all the available vulnerabilities).
Then, from the reverse shell I run the sherlock and I got many kernel vulnerabilities. I tried them one by one. The only one I succeeded to exploit was “MS15-051”.
To exploit it, I found that the compiled version for this vulnerability available in this GitHub repository, so I download it to my Kali Linux machine. Then I copied it to the windows server and run it with the nc.ex reverse command and I got another reverse shell with SYSTEM privileges and I can read the root.txt file contents now 😀
I hope you enjoyed and learn new thing in pen-testing field. If you have an question or comments, please write them down in the comments and wait for the next writeup 😀