Hack The Box: Devel Write-up (#31)

This is my 31st box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535

We get the back the following result:

  • Port 21: — Running ftpd service
  • Port 80: — Running HTTP service, Microsoft IIS httpd 7.5

For UDP scan, I scanned for top 500 ports with “ — top-ports” flag because I already rooted this box while full UDP scan was still running.

  • -sU: UDP scan

We get back the following results where no ports are open.

Service Enumeration

Port 21 (FTP service)

Based on the Nmap results, anonymous access is allowed for FTP server. Let’s login with anonymous credentials, the username and password are “anonymous”.

Anonymous access successful and we can list files in the directory. This directory seems to be webroot directory. We will confirm this in port 80 service enumeration. Let’s try to upload files to this directory and if this is successful, we can upload our reverse shell. First, create a test.txt file in Kali Linux. Upload it with the put command.

Nice we can upload a file.

Port 80 (HTTP Web service)

Let’s visit the page.

Let’s view the page source.

We noticed this welcome.png image file in FTP service enumeration. We can confirm indeed this is the webroot. We can get an initial foothold to this system by uploading a reverse shell payload to this directory and then call it from the web browser. Let’s begin the attack.

Exploitation

We know the target’s web server technology is Microsoft IIS Service and the web page language is written in ASP. So we create our payload with ASP file type. Create a reverse shell payload using MSFvenom with the following command.

Upload our generated payload reverse-shell.aspx to the FTP server.

Next, set a Netcat listener in Kali Linux.

From the browser, access the file.

Go back to our listener to see if we get a reverse shell connected.

Nice, we have a shell connected and it’s running as iis appool\web.

Post-Exploitation Enumeration

Let’s download and run winpeas.bat. For this purpose, I have set up a quick file sharing using samba in my Kali Linux with share name tools.

In this share, I have placed all my enumeration scripts. Before we copy our enumeration script, let’s run systeminfo command to check OS version and architecture in the target machine.

Target is running on Windows 7 Enterprise 32-bit (x86) architecture. Now, copy the winPEAS.bat to target Public directory.

Run the script.

After going through the long output of the script, we noticed iis appool account has these privileges SeAssignPrimaryTokenPrivlege and SeImpersonatePrivilege.

These privileges allow a service account to impersonate the access tokens of other users (including the SYSTEM user). So we going to exploit this with a popular tool called JuicyPotato to escalate privilege to the SYSTEM.

Privilege Escalation

First, let’s create a reverse shell payload of executable (.exe) type.

I already downloaded the compiled version of JuicyPotato (32-bit) into my working directory in Kali Linux. Next, transfer our payload and JuicyPotato to the target machine.

In the target machine, execute the payload with JuicyPotato.

  • -l <port>: COM server listen port
  • -t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
  • -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1–4291–83b6–3328366b9097})

We got the SYSTEM reverse shell.

Grab the user.txt flag.

Grab the root.txt flag.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Optimum.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.