Today We’re going to solve HackTheBox Retired machine DEVEL.
Devel is a windows machine.
Now without wasting much time on theory, let’s get a hands on.
Step 1: nmap scan
nmap -sC -sV -vv 10.10.10.5
So here are only 2 ports open 21, and 80.
IIS home page on port 80.
port 21 has anonymous login.
Now we can put any file to the directory using put command.
From this FTP service we will put one reverse aspx shell and get the reverse shell.
First setup a netcat listener on whatever port you like. I am taking 5578 here.
And then using the Insomniashell.aspx let’s get a reverse shell.
Let’s go back, to our listener.
Okay so we have our shell.
Now let’s get some details about the windows machine.
for this use “systeminfo” command.
Now, let’s see what privileges shell we got.
Now we need privilege escalation to get the complete hold on the machine.
From the System info above we know that the OS Version is 6.1.7600 N/A Build 7600.
Let’s search for some exploit for this OS version.
A quick search will give you the exploit.
Download the Exploit, it will be a “.c” file.
Now we need to cross compile it as exe to execute in on the machine.
for that we need ming.
If you have it already, cool. else you can install it with a very simple command.
apt install mingw-w64
Now, let’s compile the c exploit to be executable with our compromised machine.
i686-w64-mingw32-gcc 40564.c -o newshell.exe -lws2_32
Now let’s send the file to the machine using FTP only.
Cool now the execution part.
Now go get the flag.