Devel – HackTheBox

by

jdksec
in

Devel – 10.10.10.5

Target Enumeration:

OS: Windows

IP: 10.10.10.5

User: 9ecdd6a3aedf24b41562fea70f4cb3e8

Root: e621a0b5041708797c4fc4728bc72b4b

Ports / Services / Software Versions Running

Copy

21/tcp open  ftp Microsoft ftpd
80/tcp open  http Microsoft IIS httpd 7.5

Vulnerability Exploited:

Anonymous ftp upload to web root with aspx shell

Privilege Escalation:

windows/local/ms10_015_kitrap0d

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

Exploiting the host:

Nmap

Anonymous login allowed.

Upload a test file to see if it is executed

Test to see if file is accessible remotely:

Now generate and an aspx shell.

Open msfconsole and set a listener.

Upload vdk.aspx via anonymous ftp

Request the file with curl

Watch your listener spawn a shell.

Enumerate the system for privesc opportunities with local exploit suggester.

Use windows/local/ms10_015_kitrap0d

Execute the exploit

Check we have system access

Collect the flags: