Post

HTB Windows Easy: Devel

Devel is an Easy rated Windows machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Windows Easy: Devel

Nmap

Pasted image 20240714201939.png

Initial Foothold

Enumerating FTP (port 21)

Anonymous login is allowed. Pasted image 20240714201933.png

Retrieve all files. Pasted image 20240714201923.png

Nothing interesting can be found in the files, directory busting also doesn’t give us any interesting results, maybe we can upload files via ftp? Pasted image 20240714201918.png

Now we can set up a nc listener and try to execute the file by visiting /shell.aspx. Pasted image 20240714201910.png

Our nc listener turned into a shell. Pasted image 20240714201904.png

Priv Esc

Retrieve and compile exploit (follow exploit-db guide). Pasted image 20240714201849.png

Start a Python webserver and get the file on the target host using PowerShell. Pasted image 20240714201855.png

Run the Python webserver on port 8000. Pasted image 20240714201843.png

Run the exploit to catch a privileged administrator reverse shell. Screenshot: Pasted image 20240714201833.png

We now have a privileged shell as the nt authority/system user. Pasted image 20240714201824.png

User.txt

Pasted image 20240714201819.png

Root.txt

Pasted image 20240714201814.png

You have PWNED!!!

Pasted image 20240714201809.png

Sources

CTF, HTB
Windows Easy
This post is licensed under CC BY 4.0 by the author.