hackthebox devel walkthrough

Start the hack with nmap

Check if we have anonymous access or not.

Nice, we have anonymous. Further, check if we can write there or not. I already have tested and it came positive.

HTTP shows the server has IIS installed.

We can upload the aspx webshell from FTP and try to access it from HTTP. Kali already has webshell.

aspx webshell

We can now execute any windows command from here. Let’s get a shell using nc and powercat.

To get powercat, download it from github

Now start a web server in local so that we can upload it in devel.

Also, make sure you listen for the reverse shell.

Now, enter the following command in HTTP

You should get a shell.

Nice, we got a low priv shell.

To root

For high-level priv, we can do manual enumeration or use windows exploit suggester. I used the latter one.

Download it from github.

In low priv shell, run the following command to get the system details.

Nice! Save it as systeminfo.txt file

We can now use windows exploit suggester as below:

Great! We see few priv esac vulnerabilities. We can try a few. I will try some of [E], feel free to use [M].

At first, I tried MS11-011 which didn’t work for me. Therefore, I tried the next one, MS10-059.

You can get the pre-compiled binary from https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe or you can compile in your kali machine using mingw32. I used the pre-compiled one.

Download binary and upload using FTP. Make sure to set binary mode when uploading exe file.

Before we execute it we need to listen to some port for the shell.

From previous low priv shell run it.

You will get a high priv shell.

If you wish you can read the flags now:

Leave a Reply

Your email address will not be published. Required fields are marked *