Hack the Box-Devel

Today we will be going over my process and thought process of how I managed to get root access on this Windows Box. This box was provided as a Retired Box from HacktheBox.

So the first thing we need to do is do a nmap scan of this machine, getting the following output.

So from this we see two open ports. 21 and 80. By this we can also see that anonymous FTP Logon is enabled! We also see a fairly old version of IIS, the most modern version being IIS 10, so lets go take a look at that quickly and see what there is.

To get to this webpage, all we have to do is open up the internet browser and type in the url bar the IP address of the target machine.

Alright, so it was a blank page which makes sense. We saw iisstart.htm in the FTP so it most likely hasn't been set up yet. So, because we basically have access to the server, this will work similar to a Local File Inclusion. So lets make a payload that will reach back out to use so we can keep working forward.

One of the things we have to remember is what kind of payload we need to make this. We could make this many different kinds of payloads, but there is a hint in the documents of what kind of payload we need.

So, doing some research, we need to make an exploit for aspnet which ends up being a .aspx file type. Msfvenom is the tool we will be using to create the payload, and this is the command I ran to create it. Notice that LHOST is pointing towards my local IP address, which most likely be unique to your computer.

Once that finishes creating, I now have a file that can be put on the server. Let's go back into FTP, using Anonymous login. This is done by simply putting Anonymous in the username field, the password doesn't matter. I usually put ls in there because it is quick and easy for me.

After placing the exploit into the website using the FTP put command, we need to do one more thing to exploit this, which is creating a listener! This is done by using Metasploit using the following commands.

This will create a listener, and now all you need to do is go back to your website and type in the location you are trying to reach, in this case it is as shown below.

If your exploit is successful, then you should get an output that looks something like this

We have a Reverse Shell! Now it is time to do some more enumeration. We realize that we are on a Windows 7 Box by using the sysinfo command in Metasploit

We also know that we are not Root yet by using the getuid command

So from this point after poking around, using the shell command, I realized that this user wasn't able to get access to some locations, such as the Administrator User folder, so they were not an Admin. At this point I looked towards Privilege Escalation to see what we can do.

By typing background into Meterpreter, it put my session into the background so I could use it later. I decided to use built in Meterpreter utilities like the local exploit suggester.

Using this I got the following output

So, I attempted the most recent ones first because I thought they had a better chance of success, and while they did work they weren't able to give me back a shell! After trying for a while I eventually found one that worked, MS10-015-kitrap0d. That was set up as follows.

We now have Root level access on the machine, we can go and do whatever we want now. At this point I went ahead and located both of the flags.txts from the user and Administrator Desktops respectively and turned them in.