hackthebox

So a while back I signed up for hackthebox. Actually, like a year ago I remember trying to go through the challenge to get an account and wasn’t able to. Back then I had done a little bit in Burp Suite but really didn’t know what I was doing. Since then, I’ve learned a lot more.

Anyway, I signed up about 2 months ago which was the same time I signed up for 2 months of tryhackme. Since I’ve done 2 months of tryhackme, I’ve decided to switch to hackthebox and pay for access to the retired boxes. I’ve done this because I started to go through The Cyber Mentor’s Practical Ethical Hacking course on Udemy. So far it’s been great and I like the way he explains things.

There is a mid-course capstone as part of the course which is where he goes over some of the retired boxes on hackthebox. I started them a few days ago and have gone through 4 boxes so far. Most of the time I am able to figure them out on my own, I need a bit of a nudge on Devel. It was the one where I had anonymous ftp write access and could see that it was uploading to the webroot folder of an IIS 7.5 server, and I knew that I needed to upload something to get a reverse shell, but wasn’t sure how to accomplish that. Turns out, it was with an .aspx file generated with msfvenom.

Since then, I did a little bit more on that box and found out there are multiple ways to get system access. Once you get a low level meterpreter shell, run the exploit suggester on the session that’s has your shell. It turns out that there are a handful of ways to get Admin access on this machine:

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 34 exploit checks are being tried...[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.  [ Doesn't appear to work ] 
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [ Doesn't appear to work ]
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [ Doesn't appear to work ]
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.  [ Doesn't appear to work ]
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.  [ Doesn't appear to work ]
[+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.  [ Appears to work ]
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [ Appears to work ]

At a later time, I’d like to go through and run these manually to get a better feel for how they work. That being said, it was fun to work through each of these in metasploit. I’m sure that there are other services that can be discovered, but I am pleased with progress and not being happy with the one path to root.

While I don’t have any points on htb yet since I’ve only done 4 of the retired machines, here’s a link to my profile:

Leave a Reply