HackTheBox “Devel” With & Without Metasploit WriteUp
The Devel machine on Hack The Box is a Windows host that permits anonymous login to its FTP service. This vulnerability can be exploited by uploading files onto the server and establishing a reverse shell on the host. Through local enumeration, it becomes evident that the host lacks proper patching, which is exploited to escalate privileges using a known exploit.
Let’s get started!🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:
Upon conducting a port scan, we observe that ports 80 and 21 on the Devel machine are open.
The nmap scan reveals that the FTP service allows anonymous logins, making it a good starting point for our investigation.
Anonymous File Transfer Protocol (FTP) grants access to the FTP server using the username “anonymous” and any password, enabling users to access files stored on the server.
Now, we will attempt to access the files in the screenshot above through the browser.
An available action at this point is to assess the server’s file transfer capabilities (put/get). To test this, we can create a test document and proceed to upload it to the server.
let’s upload the file on the FTP server
Using the web browser, verify if the web server renders the test.html file.
Excellent! With the confirmation that we can upload and access files on the server, let’s proceed to generate a reverse shell and attempt to gain access. To accomplish this, we create our reverse shellcode locally using the following command.
Exploitation W/O Metasploit
Execute the msfvenom command to generate the aspx payload.
Upload it to the FTP server
Start a netcat listener on the attack machine to receive the reverse shell upon execution.
On the web browser, load the shell.aspx file that was uploaded to the FTP server.
Return to the listener to verify if the shell has successfully connected back.
As we navigate around, it becomes apparent that our access rights are limited.
Let’s check the system informaiton
The system we are currently on is a Microsoft Windows 7 build 7600. It appears to be outdated and lacking updates, making it susceptible to various exploits.
Now, let’s run a search to gather information about Windows 7 build 7600 exploits.
let’s go with the exploit MS11–046 below
Seachsploit MS11–046
We can proceed with compiling the exploit by referring to the instructions provided on the Exploit Database (exploitdb) webpage.
Compile the exploit
To transfer the compiled exploit to the targeted machine, begin by initiating an HTTP server on the attacking box using the following command:
sudo python3 -m http.server 8080Next, run the PowerShell command below on the targeted machine to transfer the exploit.
Now, let’s execute the exploit to elevate our privileges on the targeted machine.
Exploitation W/ Metasploit
Given our FTP access, we will proceed to generate a shell exploit using Meterpreter according to the provided structure below.
Upload it to the target
Start a handler on metasploit
Run
let us access our exploit from the browser
We get a meterpreter shell
let us run a suggester to look for a way into this target to escalate our privileges.
Set the suggester to use the targeted session and run it from there.
As we can see above, we have several local exploits, and i am going to use the module below and set its options:
Run
Cheers.
