hackthebox optimum walkthrough

Starting with nmap

Port 80 is HFS, If we try to login then we will get an unauthorized error. Following is the screenshot.

hackthebox – optimum – unauthorized

Using searchploit to find if there is any vulnerabilities related to HFS

Cloning one with Remote Command Execution

There are two things we should do before running above python script. First is to change the IP address and port, second is to copy the nc.exe to the current directory and start python HTTP server

Then run the script

We will get shell

To get the priv esac we can gather some information using systeminfo command

We can save the file and run it against windows exploit suggestor.

After this, we will see a few suggestions. Among them I like MS16-032

We will PowerShell here. For this, we need to first clone Empire and nishang Github repo.

Copy Invoke-MS16032.ps1 from Empire…

…and paste following at the end of the file

As you can see, above line will call shell.ps1, therefore copy Invoke-PowerShellTcp.ps1 and rename to shell.ps1

append following at the end of the file

We will serve these files using the previous python HTTP server. Put these files in the same folder from where we had run the python HTTP server.

Now from previous shell download file Invoke-MS16032.ps1, I have to use wget.vbs here.

Listen 4444 port for shell

It is necessary to have 64-bit Powershell otherwise if you use only PowerShell command then 32-bit will be loaded and you will not get the shell back as “nt authority”. To use 64-bit Powershell, use the full path. Just to be clear if you are using 32-bit PowerShell then you will get an error as follows:

Let’s continue

In another window, we got the shell

Leave a Reply

Your email address will not be published. Required fields are marked *