I am back with another box Devel in Hack The Box series. This is going to be the #3 machine in my HTB series. The box is categorized as easy. Let’s start with owning the box.
Target IP: 10.129.61.24
As usual the first step was to run a nmap scan against the target machine. As per the nmap scan, we can see anonymous access is enabled for the FTP service. The folder structure looks like of IIS web folder which is running HTTP service on port 80. Since anonymous access is possible, I decided to upload a web payload that will create a connection upon execution.
I used the MsfVenom cheat sheet available here for creating a web payload. LHOST should be the machine where we want to connect back from the target. Once the payload was ready for upload, l opted to first set up a listener to listen on port 4444, where I was expecting my payload to create connection. I used the Metasploit module to create the listener with default settings.
After uploading the payload, I navigated to a browser to access the payload through the web browser. The payload was dropped in the root folder with the name payload.aspx. Once the page[10.129.61.24/payload.aspx] was browsed, the listener we had created, found the reverse connection. Unfortunately, I wasn’t able to get a stable shell session. I opted to change the payload module from Metasploit.
set payload windows/meterpreter/reverse_tcp
After changing the payload, I was able to get a meterpreter session after refreshing the page. The current user was an IIS Server based service account and the getsystem was also not able to escalate the privilege. I tried a local exploit module to check if the server was vulnerable to any available exploit. I saved the session by moving it background. The exploit suggester can be found multi/recon/local_exploit_suggester. The module needs a session to be set which can be found using the sessions command.
As per the module output, it was suggested that the target may be vulnerable to exploit/windows/local/ms10_015_kitrap0d. The option was set to listen on a available port and LHOST was configured to listen on my machine. Fortunately, post execution, we had a session with higher privilege i.e. NT Authority\System
After getting the privileged session, I changed to the command prompt by using shell command. I found a User folder was present, to which I navigated. I ran dir root*.txt /s/p to list out the path where such a file can be found. Based on the result, I was able to find the root flag. The same command was executed to list out user flag. dir user*.txt /s/p
This complete this box. It did not have much from enumeration and more of a configuration issue by allowing anonymous FTP access. The msfvenom helped to get a web payload to create the reverse connection. Metasploit module helped to complete the listener as well identify the exploit to elevate the privilege.
Plagiarism Score: 0% Calculated from SmallSEOTools
Leave a Reply