Hackthebox - Retired - Devel Recon I've been using Threader3000 for my recon scans lately. It's a threaded python scanner that suggests nmap scans based on the results of the initial first up/down scan. Just 2 open ports I like to convert the nmap xml to html to make it easy on the eyes. xsltproc ./10.10.10.5.xml -o ../devel.htb.html So this looks like a microsoft box with an FTP open on 21 to anonymous and IIS 7.5 on port 80 Let's start with port 80 and see what they are serving up. Just the standard IIS parking page. FTP (logged in as anonymous) Looks like the www folder for the webserver. So anonymous has write permissions to the FTP so we can put any file we want in there… so I uploaded a webshell, that is pre-rolled with kali. Exploit Here you can see cmdasp.aspx in the root of what looks like the webserver. Let's see if we can browse to this now. That was quick and easy. I used the FTP to upload nc.exe to devel to see if we could get a better shell. I found the fi
@circusmonkey404 on the twitters; DM for contact