Pen-testing: HackTheBox — Devel Walkthrough

Start the recon process by running Nmap against our target (on which reveals an FTP server open for anonymous connections on TCP port 21.

We can log in there and, at first glance, there’s nothing interesting:

The Nmap scan also reveals there’s an HTTP server running on port 80. By opening our browser on we can clearly see an IIS7 default screen:

Looking for IIS exploits using searchsploit we found this:

let’s try uploading a file as anon in the FTP server and executing it using this vulnerability. In order to do so we need to :

  • Get a web-shell (on Kali Linux they are at user/shared/webshells/php/)
  • Change port and IP to serve our needs
  • Start a local server on the previously specified port (you can do this with python3 -m http.server XXXX being ‘XXXX’ the port number)
  • Log into the FTP, upload the shell and execute it using the method we just found
Uploading the web-shell: Use the PUT command on the FTP. Then check it was uploaded on the browser

Executing the web-shell:


You can type ‘help’ to get a list of available commands and then start playing around with them. Using SYSTEMINFO we can gather basic system information and find out this is running on a Windows 7 enterprise v 6.1.7600 Build 7600. Now that we have the exact OS version we know this is a really old and outdated one so we can go Metasploit-ish now. Let’s create a meterpreter payload:

Uploading the new payload:

Setting up a listener in MSF (remember to use the same payload and proper host and port settings):

After having received a session we can use the multi/recon/local_exploit_suggester exploit to find candidates for out privilege escalation phase:

Using the kitrap0d exploit we managed to get admin privileges:


I hope you enjoyed this one! Until next time


Shellcode for the masses

Syscall59 — by Alan Vivona

Written by

Twitter: @syscall59 | |



Shellcode for the masses