Metasploitless Devel

jdwhitak

PDF with images: https://jdwhitaker.github.io/static/devel.pdf

The Devel box is great beginner-level challenge. The official walkthrough uses Metasploit. The box hinges on an unrealistic configuration issue where the FTP root is the same as the web root, and anonymous users may upload to the server. We leverage an ASPX web shell to gain a full reverse shell. Identifying the system architecture reveals it may have the privilege escalation vulnerability described in MS11-046. This proves to be true, as executing the binary yields full system access on the machine.

Methods

Initial Reconnaissance: Port Scanning

We nmap the target IP address with the default top ports, performing version scanning (-sV) and default script scanning (-sC).

We find that anonymous FTP login is allowed, and that the server is a Windows machine running IIS 7.5. We also find that the FTP root appears to be the same as the web root. After searching “IIS 7.5 asp” on the web, we find that classic ASP is not installed by default on IIS 7.0 and above. This indicates the server likely supports ASPX instead.

Web Shell

We upload the ASPX web shell and Windows netcat binary included with Kali.
We will use netcat to connect back to our machine for a standard reverse shell.

Upgrading to a Reverse Shell

We use our web shell to identify the location of the netcat binary we uploaded through ftp.
We run a netcat reverse shell back to our local machine.

Additional Reconnaissance: System Information

The OS Versions is 6.1.7600 N/A Build 7600.

Privilege Escalation

Searching “6.1.7600 N/A Build 7600 privilege escalation” online results in an exploit at https: //www.exploit-db.com/exploits/40564. This exploits the vulnerability described in MS11-046.
We search for MS11-046 with searchsploit, compile the exploit we find [1] [2], and upload it to the remote target.
We execute the binary and gain system access.

Loot

We search for the flag files and print them.

mcruz

Nice, thanks.

Ir0nGe3ks

Question.. when using the "Execute" command in the web browser...

Is it typed as entire directory of the uploaded nc.exe? Below example:

C:\inetpub\wwwroot\nc.exe -e cmd

Because when I did this, it didn't work... because shell back to the machine didn't catch anything....

sparkla

This machine is problematic. I wasted a lot of time now trying to manually exploit it as part of OSCP prep. No matter what exe I tried to run I get

"This program cannot be run in DOS mode".

I know it's a 32bit Windows 7 but I can't run anything, nc.exe, Kitrap0d or any other privesc. Even launching powershell hangs without further notice.

I reset the box but still nothing. Gonna try metasploit now but I really would have liked to know the underlying issues here.

sparkla

https://medium.com/@ranakhalil101/hack-the-box-devel-writeup-w-o-metasploit-88cc812794f1

This doesn't work (anymore maybe?)

sparkla

Metasploit also hangs on "Sending Stage 1"

This machine is broken.

sparkla

BUMP, hoping some creator can take a look at this box.

gunroot

@sparkla. It's good to share here. Rana Khalil from Medium really doing good job on making write-ups without msf. It's great for learning and understanding how public exploits work.

sparkla

Is the box now fixed?

Alphazor

Hello guys, I'm bumping this ( and created this forum account lol ) just to tell you that the box isn't broken.

When u're sending a binary file via FTP don't forget to turn binary mode ON

Hope this help you all and have a great day