Disassembly of IppSec’s youtube video HackTheBox - Devel. Windows box which is completely done within metasploit and the standard commands you would use to enumerate a box and interact. Great metasploit refresher.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
FTP is open which is interesting and normal http is quite normal
navigate to web-server
The default login page exists for IIS, further investigating the image file name we see its labeled “welcome.png” which is a file name that was enumerated in the FTP
checking out the
/isstart.htm which is the main index page:
the HTTP server is most likely in the same directory as the FTP server.
ftp to open port
create a test file locally
“put” file on the ftp
file uploaded successfully to the ftp server.
viewing uploaded file
Noticing that when the file is accessed via the web-server if the file name doesn’t have an extension the server gives a 404 error.
if the test extention is changed to an
test.html a 200 response is returned.
returns the 200 response an displays the text.html
Keep in mind that IIS servers do execute code normally
.aspx file extentions.
intercept request with burp
intercepted request sent over to repeater (ctrl+r)
web server is report IIS 7.5
which is Windows 7 and Windows Server 2008 R2. Thought process is that
*.asp* is based off VBS and
.aspx is based off .NET Framework, which is more likely in this case.
flags that will be used: -p = payload -f = format -o = output
list msfvenom payloads
being cognizant of the type of payload chosen as 32-bit and 64-bit do not match.
list msfvenom formats
This created an aspx file that will load meterpreter
viewing file created:
referred to as the magic!
on the FTP server
set LHOST to local ip address
recreating payload with host/port
when the payload was created without the LHOST and LPORT
re-upload to ftp server
navigate to payload
interpreter shell connection was created.
Metasploit interaction with shell
To interact with shell
check architecture check which is an x86
normally would say the hotfixes installed but in this case it says N/A which could mean this machine has never been updated. Keep in mide the boot time, and Service Pack
metasploit exploit suggester
background current shell and search for suggest
set session to current session:
since this box hasn’t been updated since release with a release date of 2009 selecting any of the returned vulnerable exploits might work.
Choosing the first exploit ms10-015 kitrap0d
since we didnt set a payload metasploit opted to use
*windows/meterpreter/reverse_tcp* which is not configured correctly to the LHOST and LPORT
an error occured and the box crashed so he re did all the step to this point and re-ran the exploit
connect to shell
operating at nt authority/system!
If you don’t know who IppSec is check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec