Try โ€‚โ€‰HackMD
tags: hackthebox tutorials Devel CTF hacking easy

DEVEL

The Devel box was also simple windows box in which we find FTP listening o port 21 which has anonymous login allowed that allows us to put file on the server. The ftp files were on hosted by web service IIS 7 port 80. We place a aspx shell through ftp get RCE then do privesc on windows 7 box with MS15-051.

Nmap Scan

we will run a nmap scan to find all the open ports on the sever, to do run the following command.

namp -sC -sV -oN nmap/devel 10.10.10.5

which get us the following output,

# Nmap 7.80 scan initiated Tue Mar 17 20:25:42 2020 as: nmap -sC -sV -oN nmap/devel 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.35s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 17 20:28:17 2020 -- 1 IP address (1 host up) scanned in 154.73 seconds

we see FTP and Web Server on port 80 is open. Since anonymous login is allowed on ftp lets start from there.

FTP

Using the ftp command, we login with username anonymous and password anything to view the files.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Since we have write permissions on the server, (can be test by uploading any file on it with put command), lets upload a aspx shell to get RCE.

put shell.aspx

which gave us, the RCE as follows

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Privilege Escalation

Upgraded the RCE to a full meterpreter shell with hat manual exploit. found this from systeminfo

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Ran Sherlock.ps1 to find relevant exploits, found MS15-051 to be working to give root exploit. Used binary available from here . Which gave us the system shell.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Last changed by 
โ€‰
duckie
i hack whatever i can
0
193

Read more

WriteUp for CodeFest

These will include the challenges I was able to do in the last 2 hours of the 24 hour ctf @ CodeFest 2021. I was able to solve the entire pwn category which was easy and beginner friendly and one forensics challenge which was very practical and straight-forward. Pwn Category C is Hard Download files from here This was the first challenge which has stack overflow vulnerability and the goal was to overflow the buf and call a hidden function called print_flag. Let&apos;s start by analyzing the function in radare2. r2 -R&apos;stdin=input.txt&apos; ./source_fixed.

May 14, 2021
Start from Pwnable.tw

Points: 100 This is the writeup for the challenge start from pwnable.tw. This is the very first challenge on the website and a simple one for that matter. There is a simple buffer overflow on the binary but no jmp to esp gadget, so we need to create a rop chain to find the address of esp and then jmp to it in order to make the binary execute our shellcode. That being said let&apos;s get started. Analyzing the binary We can download the binary from the site and throw it in gdb to get a closer look. gdb ./start

May 14, 2021
flag From Pwnable.kr

Category : Toddler&apos;s Bottle The challenge flag was of reverse engineering category. Reverse Engineering is a handy skill to have while pwning binaries. The challenge gives only a binary and which mentions that it has allocated a malloc and saved the flag in that. So let&apos;s start the challenge. Let&apos;s read the prompt and download the important files to our box. wget http://pwnable.kr/bin/flag chmod +x flag Dry Run Let&apos;s give the binary a dry run and see what happens.

May 14, 2021
bof From Pwnable.kr

Category : Toddler&apos;s Bottle The third challenge from the pwnable.kr is the bof. But the twist here is , it&apos;s not vanilla bof that we see everywhere. The vanilla bof is simple: we overflow the buffer, overwrite the eip and then make it execute the payload. Here we need to overwrite a specific variable in order to gain command execution on the server. So let&apos;s get started. Setup GDB I will be using the gdb debugger with peda extension to exploit this challenge. So you can install gdb from your linux repositories and download peda from here. Let&apos;s start by reading the challenge prompt and download the important files to our box. wget &quot;http://pwnable.kr/bin/bof&quot; wget &quot;http://pwnable.kr/bin/bof.c&quot;

Sep 1, 2020
Read more from duckie
Published on HackMD