Devel machine


Devel is a simple box that demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

We will use the following tools to get control of the box on a Kali Linux box

IP of the box:

Nmap scanning results

COMMAND: nmap -sC -sV -oN devel


We see Port 21 and Port 80 open running Microsoft FTP and Microsoft IIS httpd 7.5

Microsoft FTPD

We saw from the NMAP Scan that Port 21 is open and running Microsoft FTPD , also anonymous login in allowed on it , so lets try connect and login anonymously


We got connected successful as anonymous user , now we use the help command to list out the commands we can use.


We get a lot of commands we can use here , lets see what the directory contains using dir command.


We see 3 things including 1 directory and 2 files , one of them being a png image file , let’s try to get that to our box

let’s change the mode to binary and lets try to download the image.


Lets open the image 🙂


So this image is from default IIS page , I tried doing strings command and try to see any kind of steganography { using steghide tool} done here , but no luck 🙁 so let’s move on to web part.

Port 80 — Microsoft IIS 7.5

We open up the IP in the browser and see the webpage.

We get the default IIS7 web page , from NMAP Scan we saw that the server was IIS 7.5 which reveals the operating system might be Windows Server 2008 R2


Let’s take a look at the source code:


We get nothing interesting here:(

Let’s try to upload some files into the FTP because we saw there was 3 files related to web and there are reflecting as the home page on the server.

So first we create a “hello world” text file


BOOM its uploaded successfully,lets check on webserver by loading exp1o1t9r.txt file.


Ok , we see that it uploads and we can have access to it through the web:)

Since this is an Microsoft IIS Server , the possibility can be that we can upload asp or aspx web shell

So we download a cmd web shell into the ftp and try to access it from the web.

Kali linux provides different kinds of shells in built.lets locate it and upload to the server via ftp service

COMMAND: locate cmd.aspx

Now lets check on server and load aspx_cmd.aspx file


BOOM:) it got worked and executing the system commands:)

We got a cmd shell , but it wont help us that much , so we will use metasploit to create a aspx shell and then turn on a meterpreter listener on it.


After generating a payload from the tool msfvenom we use the ftp service to upload the shell and execute the shell by opening it in the web page🙂

Shell is uploaded lets create a listener by using metasploit module called msfconsole🙂

lets fire up msfconsole


BOOM:) its successful,

So we are IIS APPPool currently , so we cant have much access to the machine , let’s try to get advanced privileges by using a post exploit module in metasploit named as “Exploit Suggester” but first we background and the search the module

Exploit Suggester

As i used getsystem in order to escalate the system privileges and unfortunately it didn’t worked as expected.

so i choose Exploit Suggester module 🙂

We get whole loads of stuff , so we are gonna try the exploit /windows/local/ms10_015_kitrap0d


Ok , we got our meterpreter session 2 , if we now check the UID using getuid command , we get

Now we use the shell command to get a proper cmd shell and then move on to for flags

The user flags are usually on the Desktop folder of the user on the machine.

The Root Flags are usually under the Desktop Folder of Administrator Account.

I hope you like my writeup 🙂

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r


Please enter your comment!
Please enter your name here