AdSense
Thursday, January 10, 2019
Devel
DEVEL
- Layout for this exercise:
1 - INTRODUCTION
- The goal for this exercise is to develop a hacking process for the vulnerable machine Devel, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Devel's IP is 10.10.10.5:
- Scanning with Nmap:
- Scanning deeper port 21 we discover that Devel allows FTP anonymous connections:
- Checking the FTP server with the browser:
3 - EXPLOITATION
- Because the FTP server allows anonymous connections we can upload a malicious reverse shell file from our attacking machine.
- Creating a reverse Meterpreter exploit myshell.aspx with Msfvenom:
- Connecting with FTP:
- Transferring myshell.aspx:
- The transfer is successful:
- Setting a Meterpreter listener:
- Running myshell.aspx:
- As a consequence of running the exploit a successful Meterpreter session is achieved:
- Getting information about the system, current user and folder:
4 - PRIVILEGE ESCALATION
- When trying to browse around the system the access to Users' folders is denied:
- So what we need is to perform a Privilege Escalation process.
- Let's follow two ways to achieve that goal.
4.1 - MS11-046 vulnerability
- Getting a shell:
- systeminfo shows that Devel has never been patched:
- Looking for an exploit to take advantange of that vulnerability:
- Dowloading the exploit 40564.c:
- Following instructions to cross-compile the exploit:
- In case mingw-w64 is not already installed:
- Cross-compiling:
- Transferring from Kali to Devel using the FTP service:
- The transfer is successful:
- Trying to run 40564.exe locally at Devel, however it fails:
- Why? Because the FTP transfer from Kali to Devel was performed into ASCII mode (by default), not into Binary mode. For further information:
https://library.panic.com/transmit/transmit5/transfer-mode/
- Now, let's rename the file and transfer it using the Binary option:
- Running 40564_binary.exe the Privilege Escalation is finally successful:
4.2 - MS10_015 vulnerability
- Backgrounding the Meterpreter session:
- Searching for a exploit with local_exploit_suggester and setting Session 1:
- This one seems interesting:
- This exploit is based on the Microsoft MS10_015 vulnerability:
- Using this exploit, setting Session 1 as parameter and running:
- However it doesn't work, and the reason is clear, it has taken by default LHOST 192.168.1.19 what is not the IP used by Kali to connect to the Hack the Box VPN.
- Changing LHOST to 10.10.14.8 now it works, and we get a 2nd Meterpreter session:
- Eventually the user has got System privileges:
5 - CAPTURING THE FLAGS
- Reading the 1st flag user.txt.txt:
- Decrypting user.txt.txt:
- Reading the 2nd flag root.txt.txt:
- Decrypting root.txt.txt: