HackTheBox Writeup — Devel

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

Since I got VIP Connection few days ago , I am going to solve as many retired boxes as possible and create writeups for each one of them. I hope you enjoy them and dont boast me for it :)

The IP of this box is

NMAP Results

We run NMAP Scan against the target

We see Port 21 and Port 80 open running Microsoft FTP and Microsoft IIS httpd 7.5

Microsoft FTPD

We saw from the NMAP Scan that Port 21 is open and running Microsoft FTPD , also anonymous login in allowed on it , so lets try connect and login anonymously

We got connected successful as anonymous user , now we use the help command to list out the commands we can use

We get alot of commands we can use here , lets see what the directory contains using dir command

We see 3 things including 1 directory and 2 files , one of them being a png image file , let’s try to get that to our box

So we set our mode to binary and got the file , let’s try to seek under the directory we saw

Nothing interesting here , so we move on to checking the image file we downloaded

So this image is from default IIS page , I tried doing strings command and try to see any kind of steganography done here , but no luck :( so let’s move on to web part

Port 80 — Microsoft IIS 7.5

We open up the IP in the browser and see

We get the default IIS7 web page , from NMAP Scan we saw that the server was IIS 7.5 which reveals the operating system might be Windows Server 2008 R2

Looking at the source code

We get nothing interesting

Let’s try to upload some files into the FTP because we saw there was 3 files related to web

So first we create a “hello world” text file

Now we upload it into the FTP using put command

Now , we try to access the text file from the web

Ok , we see that it uploads and we can have access to it through the web

Since this is an Microsoft IIS Server , the possibility can be that we can upload asp or aspx web shell

So we download a cmd web shell into the ftp and try to access it from the web

CMD Shell uploaded to FTP and now we access it through web

We got a cmd shell , but it wont help us that much , so we will use metasploit to create a aspx shell and then turn on a meterpreter listener on it

We created our aspx reverse shell and now we spawn msfconsole and use the handler on it

All options set and now we ready to run the exploit command to make it listen on port 9001

As soon as we hit the our shell on the web browser

We get our Reverse Connection back on msf

We got meterpreter session , let’s try to see what user we are by using getuid command

So we are IIS APPPool currently , so we cant have much access to the machine , let’s try to get advanced priveleges by using a post exploit module in metasploit named as “Exploit Suggester” but first we background and the search the module

We see the module is post/multi/recon/local_exploit_suggester

So we are gonna use this module and see the available options to set

So , we saw the options and had to put our Session number , which here was 1 and now we are ready to run the module

We get whole loads of stuff , so we are gonna try the exploit /windows/local/ms10_015_kitrap0d

We are set ready for our final exploit command

Ok , we got our meterpreter session 2 , if we now check the UID using getuid command , we get

Now we use the shell command to get a proper cmd shell and then move on to for flags

The user flags are usually on the Desktop folder of the user on the machine

The Root Flags are usually under the Desktop Folder of Administrator Account

So here’s another easy box completed as I make myself to complete atleast 2 boxes a day from the retired one so that I may be able to complete maximum machines before my connection gets expired


Also Subscribe to Ippsec’s Youtube Channel as he uploads each and every video with more detailed analysis , I learned alot from him :)

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover