Happy Saturday, everyone!
In today’s post, I’ll be attacking another system from hackthebox.eu. This one is called Devel! Let’s jump right into it!
Devel’s IP address is 10.10.10.5, so let’s start off by scanning it with Nmap in order to see what ports are open and what services are running on it.
We see that port 80 is open, so we can open up a web browser and type in 10.10.10.5 to see what we can find!
Okay, so we see the default page for Internet Information Services server is running. I enumerated the site a bit more, but nothing of interest was returned. Returning to our Nmap scan, we can see that FTP is also running, and allows anonymous login! So let’s login!
For anonymous login to work, we can simply use the anonymous/anonymous credentials to login. Once logged in, let’s see what information we can find.
Since we have FTP access, we may be able to upload a backdoor shell to the server. To test this theory, we’re going to create an aspx shell with msfvenom. We know we can use an aspx shell due to us finding the aspnet_client folder.
As we can see, the payload we’ll be using is windows/meterpreter/reverse_tcp, while using our own IP as the LHOST, and port 4444 for the LPORT.
Once the shell is created, we can upload it to the FTP server using the “put” command.
With the file uploaded, our next step will be to start a listener on our own system for the shell to call back to.
With the options set, all we have to do is type “run” for the listener to start. Now, we’ll browse to 10.10.10.5/dev.aspx in our web browser.
Now, let’s switch back to our listener.
We have a meterpreter shell! Running a “getuid” command shows us that we don’t have System privileges yet, so let’s try to escalate our privileges!
Meterpreter has a module that we can use to look for suggested exploits, so let’s fire that up.
I didn’t have much luck with the first suggested exploit, so let’s try the one called kitrap0d.
Okay, now let’s see what this meterpreter shell gives us!
That’s more like it! Now let’s grab the user.txt and root.txt flags!
Another Hack the Box system down, and we’re going to be on to the next one!
Thanks for reading!