Devel HTB Write-Up

We will be solving Devel from Hack the Box using the Metasploit framework.

The first thing I do when looking at a new box is to run a Nmap scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 18:12 EDT
Nmap scan report for 10.10.10.5
Host is up (0.050s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.10 seconds

Here we see that this machine has ports 80 and 21 open, with anonymous login of FTP.

We log on to through FTP with user: anonymous and a blank password then test to see if we can upload a file. We can so let’s try to upload a shell! I am going to use msfvenom to create a reverse meterpreter shell.

Once that shell is made and uploaded to the host, let’s set up a listener using Metasploit's multi/handler.

Now that the listener is running and the shell is uploaded to the host, let’s go ahead and call the file from the browser, and see if it was successful!

Our shell was successful! Using the getuid command we see that we have user privileges at the moment. We used the exploit suggester to see if there are any quick privilege escalation methods in Metasploit.

It appears that the machine has not been updated since 2010 because each Microsoft security bulletin since 2010 appears vulnerable. Using the kitrap0d MS10–015 exploit, let’s set our session ID and run it.

We see that no session was created with the exploit. It seems common for this exploit to not set our LHOST correctly, and as we see after our ‘show options’ command it was not set our previous IP. Let’s update that and run it again.

Voila! The exploit was successful and we now have system privileges!

Thank you for reading this write-up of HTB’s Devel machine. I will be continuing to post write-up’s here as I work through them on the way to my first OSCP attempt. If you have any questions or want to see a specific box please let me know!