HTB Retired Machine: Bastard (Windows — Medium) — TCM’s PNPT Capstone
We will start off with an nmap scan
Now we will run a service scan
Checking robots.txt, we have a lot of entries
If we browse to the site, we will see an option to create an account
Let’s see what the Request new password does
If we try admin, we get a different error
Trying to create an account doesn’t work
Looks like we can access the changelog
Let’s check searchsploit
The one most interesting is the top one
If we cat out the file, we see reference to a rest endpoint
We are going to modify a few lines within our exploit file
When running the file, we get an error
We need to install php-curl
Let’s curl it with the command whoami
Let’s use the browser to upload a netcat binary
Now we will execute it to get a shell
The binary doesn’t seem to be working
Trying my other netcat binary
Same issue with this version as well
Got it work, had to call cmd via curl
User.txt
Answer: fe0d559df810fcac4ba6ca94b4e5867c
Let’s run systeminfo
Running a Python3 port of Windows Exploit Suggester finds the following vulnerabilities
We will try exploiting MS11–011
While it looks like we have write access to C:\Windows\Temp, it doesn’t upload
We do not have write access to any of the user folders
We have full write access to the drupal folder
Running the exe doesn’t seem to do anything, so it might not work
We’ll use MS10–059 again (we used it in a previous room: Arctic)
Root.txt
Answer: cd9b8ab2bd1b6a4f76a588463d2ffe5f