BASTARD

Difficulty: Medium SO: Windows

1-NMAP

We found a port 80 on which nmap directly shows us different directories:

┌──(root㉿kali)-[/home/kali/htb/windows/bastard]
└─# nmap -sV 10.10.10.9 -sC -p- -vv

PORT      STATE SERVICE REASON          VERSION
80/tcp    open  http    syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
| http-robots.txt: 36 disallowed entries 
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php 
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ 
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ 
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ 
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Welcome to Bastard | Bastard
|_http-generator: Drupal 7 (http://drupal.org)

2-DRUPAL

As we can see drupal is being used, and we can see that there is a changelog.txt directory where we can find the version of it:

Changelog.txt

The version is 7.54, using the gobuster tool we also found a directory called rest with the following content:

Searching for information about this and drupal on searchsploit we found an exploit:

Modify the exploit as it has different routes and ip:

We put a simple cmd shell as payload, run the exploit:

3-RCE

We can now execute commands and we are also nt authority, so we send us a PowerShell reverse shell:

We received the shell:

4-PRIVILEGE ESCALATION

We see that the OS has an outdated version of windows 2008:

Searching for information we found a kernel exploit MS15-051:

LogoMicrosoft Windows - Local Privilege Escalation (MS15-051)Exploit Database

It leads to a pre-compiled exploit:

We download the .zip and extract the .exe, start an http server and download it to the victim machine:

We get privileges, so we are going to run a reverse shell:

We received the reverse shell:

PreviousPage

Last updated