Devel machine

Devel

Devel is a simple box that demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

We will use the following tools to get control of the box on a Kali Linux box

IP of the box: 10.10.10.5

Nmap scanning results

COMMAND: nmap -sC -sV -oN devel 10.10.10.5

Devel

We see Port 21 and Port 80 open running Microsoft FTP and Microsoft IIS httpd 7.5

Microsoft FTPD

We saw from the NMAP Scan that Port 21 is open and running Microsoft FTPD , also anonymous login in allowed on it , so lets try connect and login anonymously

FTP

We got connected successful as anonymous user , now we use the help command to list out the commands we can use.

help

We get a lot of commands we can use here , lets see what the directory contains using dir command.

dir

We see 3 things including 1 directory and 2 files , one of them being a png image file , let’s try to get that to our box

let’s change the mode to binary and lets try to download the image.

welcome.png

Lets open the image 🙂

Welcome.png

So this image is from default IIS page , I tried doing strings command and try to see any kind of steganography { using steghide tool} done here , but no luck 🙁 so let’s move on to web part.

Port 80 — Microsoft IIS 7.5

We open up the IP in the browser and see the webpage.

We get the default IIS7 web page , from NMAP Scan we saw that the server was IIS 7.5 which reveals the operating system might be Windows Server 2008 R2

WebPage

Let’s take a look at the source code:

View-Source

We get nothing interesting here:(

Let’s try to upload some files into the FTP because we saw there was 3 files related to web and there are reflecting as the home page on the server.

So first we create a “hello world” text file

HELLO WORLD

BOOM its uploaded successfully,lets check on webserver by loading exp1o1t9r.txt file.

exp1o1t9r.txt

Ok , we see that it uploads and we can have access to it through the web:)

Since this is an Microsoft IIS Server , the possibility can be that we can upload asp or aspx web shell

So we download a cmd web shell into the ftp and try to access it from the web.

Kali linux provides different kinds of shells in built.lets locate it and upload to the server via ftp service

COMMAND: locate cmd.aspx

Now lets check on server and load aspx_cmd.aspx file

aspx_cmd.aspx

BOOM:) it got worked and executing the system commands:)

We got a cmd shell , but it wont help us that much , so we will use metasploit to create a aspx shell and then turn on a meterpreter listener on it.

msfvenom

After generating a payload from the tool msfvenom we use the ftp service to upload the shell and execute the shell by opening it in the web page🙂

Shell is uploaded lets create a listener by using metasploit module called msfconsole🙂

lets fire up msfconsole

msfconsole

BOOM:) its successful,

So we are IIS APPPool currently , so we cant have much access to the machine , let’s try to get advanced privileges by using a post exploit module in metasploit named as “Exploit Suggester” but first we background and the search the module

Exploit Suggester

As i used getsystem in order to escalate the system privileges and unfortunately it didn’t worked as expected.

so i choose Exploit Suggester module 🙂

We get whole loads of stuff , so we are gonna try the exploit /windows/local/ms10_015_kitrap0d

shell

Ok , we got our meterpreter session 2 , if we now check the UID using getuid command , we get

Now we use the shell command to get a proper cmd shell and then move on to for flags

The user flags are usually on the Desktop folder of the user on the machine.

The Root Flags are usually under the Desktop Folder of Administrator Account.

I hope you like my writeup 🙂

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here