Open in app

Sign in

Write

Sign in

Ethical Hacking Lessons — Devel Writeup

Kamran Bilgrami
5 min readOct 13, 2019

--

In this write-up, I will show how to get root access to the hackthebox Devel machine. An unpatched machine, Anonymous FTP without proper authorization could be signs of a lazy IT technician. This write-up demonstrates how hackers can take advantage of this attack vector to run malicious code and gain root-level access to such a machine.

Let’ start with its info card.

This is a windows machine marked with an Easy difficulty level. The Rader graph shows an inclination towards the presence of CVEs.

Recon

Let’ start with the TCP/UDP Nmap scan for all ports.

nmap -A -T4 -p- -oX tcp_scan_result.xml 10.10.10.5

The transformed results in the HTML format shown below.

The following command performs a UDP scan.

nmap -sU -p- -oX udp_scan_result.xml 10.10.10.5

The scan results for UDP after transforming to HTML looks as follows

Recon Analysis Results

TCP scan results reveal two open ports.

  • Port 21: FTP service is running. Anonymous login is allowed.
  • Port 80: Scan results indicate Internet Information Server (IIS) running as the web server.

UDP scan results do not show any open ports.

Enumeration

Let’s enumerate the FTP and HTTP services to see what possible ways could be available for exploitation.

FTP

Let’s first try to verify the anonymous access to the ftp site and see what files are available.

The files/folders available here look like the ones with a default IIS configuration.

HTTP

Browsing to the 10.10.10.5 shows IIS default page.

This opens up a few interesting questions such as

  1. Does the FTP site directory is the same as this IIS default page?
  2. Does the anonymous user has permission to upload a file to FTP?
  3. Can a user run any files/scripts that are available on the HTTP page?

To answer these questions, let’s try to upload a hackthebox image to the FTP site.

Let’s try to see if we can view the image from the browser.

Enumeration Results Analysis

Even though for some reason the image is getting distorted but it clearly shows that we can upload a file to FTP that can then be executed via the browser.

Exploitation

Let’s start by searching what exploits could be available for this use case. The presence of IIS 7.5 is a strong indication of Windows 7/2008 R2. Let’s try to see if we can find any msfvenom payload that we can use to get a reverse shell. The search results provide a list in which windows/shell_reverse_tcp could be suitable for our scenario to try.

Since we know that the web-server is IIS, we first need to confirm if msfvenom can be used to generate a payload that could be used with IIS.

Let’s generate a payload in aspx format and store it in a file named shell.aspx.

We can upload this payload file to FTP server using the anonymous login that we discovered earlier.

Let’s launch a listener on the attack kali machine.

Then run the payload we just uploaded through the browser.

That immediately gave us a shell on the Devel machine as iis apppool\web user. As you can see in the image below, this user has limited access to browse to interesting folders and get the needed flags.

This means that we need to attempt a priv escalation to get the root-level access. The key piece of information could be retrieved using the systeminfo command that tells us that its an x86 type Windows 7 version 6.1.4600 box. The Hotfix(s) field has a value of N/A, which could be indicative of the fact that the machine has not been patched.

A google search leads to MS11–046 exploit that relates to CVE-2011–1249 vulnerability. This exploit consists of a C language file that needs to be downloaded and compiled. The exploit page provides the instructions to compile the file as shown below.

This needs the mingw-w64 compiler that you can download using the following command line.

apt-get install mingw-w64

Once the file is compiled, it should give a file named 40564.exe. We can upload the file to FTP server as well.

Now we can go back to the existing reverse shell and run this executable. That gave us access as nt authority\system which is equivalent to root-level access in a windows system.

After that its just a matter of navigating to the right folders and capture the user/root flags.

Root Cause Analysis

There were several factors that contributed to the exploitation of vulnerabilities.

  1. The windows system itself was not patched and missing critical updates.
  2. Anonymous access on the FTP was allowed with write permissions.
  3. Web-Server root directory was accessible via FTP. That combined with anonymous FTP gave the ability to upload/execute malicious code.
Hacking
Hackthebox
Ethical Hacking
Oscp
Cybersecurity

--

--

Kamran Bilgrami
Kamran Bilgrami

Written by Kamran Bilgrami

402 Followers
4 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams