Hacking Devel (hackthebox)

 This is how I hacked the Devel machine...


The initial nmap scan showed an FTP service was listening on port 21 and it was set up to allow anonymous connections. There was also a Microsoft IIS web server on port 80.


The anonymous access to FTP seemed like a good place to start. I had to use the -p flag to force the passive mode as the connection did not work for me without it. I used these credentials anonymous:anonymous



After listing the contents of the directory, I set FTP to use binary so I could try transferring binary files. I started by using the GET command to download the welcome.png file to my machine. This worked. I then tried to delete the welcome.png file from the remote machine, but did not have the rights to do so. I therefore renamed the downloaded copy of welcome.png to test.png and then used the PUT command to try to upload it to the remote machine. When I checked again I could see that this had been successful, so I now knew that I had read / write access to the remote machine.




This meant that I would be able to upload malware to the remote machine, but what good would that do if I had no way to execute it? It seemed to me, however, that I had access to a web root directory because of the name of the file welcome.png and the IIS web server on port 80. I therefore had a look at the web page being served and found it to be a default IIS page. I checked the source code and saw that the welcome.png file was indeed being served. This meant that I would be able to upload a reverse shell to the same folder using anonymous FTP and then navigate to it using a browser in order to execute it!




Next, I used msfvenom to create a reverse meterpreter shell using the aspx file type. I used this file type because Microsoft IIS uses it. I then uploaded the reverse_shell.aspx file to the remote machine using the anonymous FTP connection along with the PUT command.




Next, I fired up msfconsole and opened a listener using the exploit/multi/handler module. I then set the payload, lhost and lport.



With the listener running, I requested the reverse_shell.aspx resource which I had uploaded to the remote machine.




This gave me a reverse meterpreter shell, but when I checked my user name, I found that I did not have admin privileges. I therefore put the channel into the background with ctrl + z and tried the getsystem command in meterpreter. This did not work, so I put the meterpreter system into the background and ran the post/multi/recon/local_exploit_suggester module. I set it to work on session 1 and then ran it. From the suggested privilege escalation exploits, I selected the kitrap0d one. This was then set with the correct session, lhost and lport before being executed. This exploit established a new shell. When I checked the user id, I found it to now be nt authority/system (the most privileged non-interactive session we can have on Windows!) I have included a screenshot of the sessions to show the difference between accounts on the two sessions to make this more clear.








I now needed to find the user and root flags, so I used the tree command to quickly look through the directories from C:\Users down. I was then able to easily find the flags and use type to see them.






Finally, I decided to clean things up by deleting the two files I had uploaded to the webroot. I used the tree command again to find them quickly. This time, I searched from C:\ and found them in C:\inetpub\wwwroot I therefore deleted them from that directory to clean up and finish the box.






Thanks to ch4p for creating this box, and thank you for reading my write up of it.


Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more