HTB “Devel”: Windows Privileges Retired Machines List 01/05 by TCM Security.
Quote: When you find a good move, Find a better one.
Not so Important Intro:
Hello Folks,
This is my first write-up on the medium. Very recently I’ve been preparing for the PNPT Certification, After completing the PEH Course(1 of 5 off the PNPT Bundle). I am exploring the Windows Privilege Escalation Course for beginners Where Heath Adams has made in-detail videos while practically exploring Subscriptions of HTB. Considering they are the cheapest. I am Planning to Work on OSCP next. And I heard HTB labs were practically real-world hacking.
So, I thought Why not give it a shot (I have never been on the VIP side on HTB) and also share my experience of practicing rooms and boxes? Which may help newcomers like me. What I am gonna do differently than other write-ups?
At the end of every machine I get to crack, I will be posting Hacker’s Understanding Mind Map(Why they are doing what they are doing). Which is a great resource for any beginner who wants to build the methodology. So, they won’t get lost in finding endless next steps? Trying a Hundred things on the internet.
Note: Any additional ideas/thought processes are highlighted with ** **.
The Walkthrough:
Right After Connecting to the HTB VPN, Routine of any other machine:
Reconnaissance:
> nmap -A -T4 -p- 10.10.10.5
Normally, you could a -sC (performing Default scripts), or -sV(OS Detection) for more information on this.
Now There are 2 takeaways here,
- First, see that there is an HTTP port running with the filenames displayed.
- Anonymous Login is allowed here. Meaning: You can log in as an anonymous user, which normally has a default password as a password.
we have some leads to investigate & get back to recon if needed.
Enumerate Possible options:
why not try an FTP connection?
**I tried directory brute-forcing at http://10.10.10.5 with dir buster and its default 2–3 medium wordlist. But as it doesn’t seem to be a big server, There are not any interesting results found.**
**As the website runs on a Windows IIS7 server, I wanted to understand the technologies behind the website. So, I’m running a Nikto scan which shows the server is using .apsx files for its web framework. (N)**
Exploitation:
we have the website And we can see the files we can access through ftp are the ones the web server is hosting. Then, simply upload a custom-created payload using msfvenom.
Now, we have our shell in the server. we can successfully run our exploit on the browser triggering it. For that, all we need to do is search for the file in the web browser while listening for any incoming connections using Metasploit’s very known module post/multi/handler.
And Tada!! we got our first shell on the machine✨🎇.
Now, As we got some foothold on the machine.
While browsing through the files on the system. There is the Administrator & babis Folder. Which might give us the user and root flag we are looking for. But the Access is denied.
Privilege Escalation it is:
Based on the HTB’s Guideline we can get to know there is a metasploit module that is good at suggesting exploits for privilege escalation(Similar to the Winpeas Tool). i.e.; multi/recon/local_exploit_suggester.
So running this module can guide to us some possibilities:
Results:
Now there is a whole list of successful exploits displayed here. So, trying them one by one is the optimal way to find the one which works for us.
Crossing the fingers: I got a session here…
And, we got in!!
Browsing for flags:
AND We got Juicy FLAGS😋!!
Getting flags is equal to compromising the machine.
Methodology:
I will continue to post more on these Thought process takeaways, As I crack more machines. Thumbs up If you like these and follow me for more.
