This is my next blog on the machine Devel from Hack The Box. This is an easy retired machine and can be exploited using metasploit. The IP address of the machine is 10.10.10.5 with a Windows Operating System.
The first step is the process of reconnaissance that is done by means of nmap scanning that lets us know the number of open ports.
Upon nmap scanning, it reveals that ports 21 and 80 are open. Microsoft ftp server is running n port 21 and Microsoft IIS Webserver is running on port 80.
As the FTP port is open we try logging in with some default user credentials and finally the username “anonymous” works out and it doesn’t demand a mandatory password.
So, we successfully logged into FTP and we list the files for reference. Then we try for URLs based on the files that are available on the FTP port. Then we try to upload a reverse shell that is taken from the php file and the shell.php gets uploaded.
But sadly when we try the same on the URL, it does not work and throws a 404 error. This might be due to the fact that the IIS server that holds the website URL only allows the asp or aspx files. So then we try uploading an aspx reverse shell file using msfvenom and upload it on the server.
To our surprise, the website URL of reverese.aspx works.
So now, we upload the working shell to the FTP using put command.
Once after we upload the reverse shell to the webserver, we should have a listener for which we start msfconsole and set the payload out there.
Hence we start the multi/handler exploit for the same and open the http://10.10.10.5/reverse.aspx in yet another window.
Upon exploitation, we get the meterpreter shell.
We get the system info and the uid from the shell as basic commands.
The APPPOOL\Web indicates the possibility of gaining the administrator privileges.
Next step is the privilege escalation with the suggester and based on the suggestion we then escalate the exploit.
This will help in the kernel exploit whose patch is not installed in the computer.
We have the two vulnerable exploits and finally, we have got the exploit as the windows/local.ms14_058_track_popup_menu that can escalate the privilege to the administrator.
We check for the meterpreter shell and upon checking the ID we get that as the NT/AUTHORITY\SYSTEM.
We then navigate to the home directory and check for users.
We find two interesting folders namely babis and Administrator.
Upon navigating the folders in babis, we finally get the user flag.
Now after that we had an administrator folder which we navigate to find if the folder is containing the root file.
Yipeeee!! We finally get the root flag.
