HTB Retired Machine: Bastard (Windows — Medium) — TCM’s PNPT Capstone

We will start off with an nmap scan

Now we will run a service scan

Checking robots.txt, we have a lot of entries

If we browse to the site, we will see an option to create an account

Let’s see what the Request new password does

If we try admin, we get a different error

Trying to create an account doesn’t work

Looks like we can access the changelog

Let’s check searchsploit

The one most interesting is the top one

If we cat out the file, we see reference to a rest endpoint

We are going to modify a few lines within our exploit file

When running the file, we get an error

We need to install php-curl

Let’s curl it with the command whoami

Let’s use the browser to upload a netcat binary

Now we will execute it to get a shell

The binary doesn’t seem to be working

Trying my other netcat binary

Same issue with this version as well

Got it work, had to call cmd via curl

User.txt

Answer: fe0d559df810fcac4ba6ca94b4e5867c

Let’s run systeminfo

Running a Python3 port of Windows Exploit Suggester finds the following vulnerabilities

GitHub - Pwnistry/Windows-Exploit-Suggester-python3: This tool compares a targets patch levels…

We will try exploiting MS11–011

windows-kernel-exploits/MS11-011 at master · SecWiki/windows-kernel-exploits

While it looks like we have write access to C:\Windows\Temp, it doesn’t upload

We do not have write access to any of the user folders

We have full write access to the drupal folder

Running the exe doesn’t seem to do anything, so it might not work

We’ll use MS10–059 again (we used it in a previous room: Arctic)

Root.txt

Answer: cd9b8ab2bd1b6a4f76a588463d2ffe5f